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Timed Automata and Timed Languages 
Challenges and Open Problems* 



Eugene Asarin 

VERIMAG, Centre Equation 
2 ave de Vignate, 38610 Gieres 
France 

Eugene . AsarinSimag . f r 



Abstract. The first years of research in the area of timed systems were 
marked by a spectacular progress, but also by many natural and im- 
portant problems left behind without solutions. Some of those are really 
hard, some have been completely overlooked, some are known only to 
small groups of researchers but have never been really attacked by the 
community. 

The aim of this talk is to present several open problems and research 
directions in the domain of timed systems which seem important to the 
author. In particular we will consider variants of timed automata, theory 
of timed languages, timed games etc. 
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Abstract. The paper presents a new method for building abstract mod- 
els for Timed Automata, enabling on-the-fly reachability analysis. Our 
pseudo-simulating models, generated by a modified partitioning algo- 
rithm, are in many cases mnch smaller than forward-reachability graphs 
commonly applied for this kind of verification. A theoretical description 
of the method is supported by some preliminary experimental results. 



1 Introduction 

Model checking is an approach commonly applied for automated verification 
of reachability properties. Given a system and a property p, reachability model 
checking consists in an exploration of the (reachable) state space of the sys- 
tem, testing whether there exists a state where p holds. The main problem of 
this approach is caused by the size of the state space, which in many cases, in 
particular for timed systems, can be very large (even infinite). One of the so- 
lutions to this problem consists in applying finite abstract models of systems, 
preserving reachability properties. To this aim, forward-reachability graphs are 
most commonly used [6, 8, 14]. Reachability analysis on these models is usually 
performed on-the-fly, while generating a model, i.e., given a property p, newly 
obtained states of the model are examined, and the generation of the model is 
finished as soon as a state satisfying p is found [6] . An alternative solution are 
symbolic methods, one of which, very intensively investigated recently, consists 
in exploiting SAT-based Bounded Model Checking (BMC) [3, 21]. In the BMC 
approach, satisfiability of a formula encoding reachability of a state satisfying p 

* Partly supported by the State Committee for Scientific Research under the grant 
No. 8T11C 01419 
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is tested, using a symbolic path of a bounded length encoding the unfolding 
of a transition relation. Since the length of this path affects dramatically the 
size of its propositional encoding, the BMC methods are mainly applicable for 
proving reachability, but can become ineffective when no state satisfying p can 
be found (see the discussion in the section on experimental results). Therefore, 
verification methods based on building (small) abstract models of systems still 
have a practical importance, and developing efficient algorithms for generating 
such models remains an important subject of research. 

Our paper presents a new method for generating abstract models of Timed 
Automata using a modified minimization (partitioning) algorithm [5]. The very 
first motivation for our approach has been taken from [20], where the authors 
claim that minimal bisimulating models (b-models, for short) for Timed Au- 
tomata could often be smaller than the corresponding forward-reachability ones 
(fr-models, for short). Since simulating (s-) models [17] are usually smaller than 
minimal b-models, they could be used instead of the latter. However, it is clear 
that there should exist abstract models preserving reachability properties that 
are even smaller than the minimal s-models, as the latter preserve the whole 
language of ACTL. To define these models we relax the requirement on the 
transition relation of the s-models, formulated for all the predecessors of each 
state, such that it applies to one of them only, and call the new class of models 
pseudo-simulating ones (ps- models, for short). The models can be generated us- 
ing a modification of the partitioning algorithm for s-models [10]. Moreover, the 
method can be used in an on-the-fiy manner for reachability verification. 

The rest of the paper is organised as follows: Section 2 presents the related 
work. In Section 3, we introduce Timed Automata and their concrete and ab- 
stract models usually considered in the literature. Then, in Sections 4 - 6 we pro- 
vide a definition, an algorithm, and an implementation of ps-models for Timed 
Automata. Sections 7 and 8 contain experimental results and final remarks. 



2 Related Work 

Different aspects of the reachability analysis for Timed Automata have been usu- 
ally studied on fr-models [8, 14, 16]. In [8], some abstractions allowing to reduce 
their sizes are proposed, while in [14], data structures for effective verification 
are shown. Alternative methods of reachability verification consist in exploit- 
ing SAT-solvers [3, 21], HDDs (a solution for closed automata shown in [4]), 
untimed histories of states and a bisimulation relation [13], or partitioning to 
obtain pseudo- b-models [19]. Partitioning-based reachability analysis was stud- 
ied also for other kinds of systems [7, 15]. Moreover, the paper [12] presents 
various reachability-preserving equivalence relations. We provide a comparison 
with models generated by these relations in the full version of this work [18]. 

Minimization algorithms for b-models were introduced in [5, 15]. The first 
of them was applied to s-models in [10]. Implementations for Timed Automata 
and b-models can be found in [1, 2, 20, 22], and for s-models - in [11]. The 
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paper [20] contains some examples showing that b-models can be smaller than 
the corresponding fr- ones. 

3 Timed Automata 

Let H (K+) denote the set of (non-negative) reals, and IN - the set of natural 
numbers. Let X = {x\, . . . ,a:„} be a finite set of variables, called clocks. A va- 
luation on A is a n-tuple v = (rii, . . . ,Vn) € M", where Vi is the value of the 
clock Xi in v. For a valuation v and <5 G M, z; -I- <5 denotes the valuation v' s.t. 
for all Xi G A, z;' = -Ui -I- 6. For a valuation v and a subset of clocks A C A, 
v[X := 0] denotes the valuation v' such that for all G A, z;' = 0 and for 
all Xi G X \ X, v[ = Vi- By an atomic constraint for A we mean an expression 
of the form Xi ~ c or — xj ~ c, where Xi,Xj G A, ~G {<,<,>,>} and 
c G IN. A valuation v satisfies an atomic constraint Xi c {xi — Xj ~ c) if zzi ~ c 
{vi — Vj ~ c, respectively). A (time) zone of A is a convex polyhedron in K" 
defined by a finite set of atomic constraints, i.e., the set of all the valuations 
satisfying all these constraints. The set of all the time zones of A is denoted by 
Z{n). 

Definition 1. A timed automaton A is a tuple (A, S', A, A,X), where E is 
a finite set of actions, A = {xi,...,x„} is a finite set of clocks, E C S x 
E X Z{n) X 2^ X S is a transition relation. Each element e of E is denoted 

Cl Z 

by s s' , which represents a transition from location s to s' , performing an 
action a, with the set Y C X of clocks to be reset, and with a zone z defining 
the enabling condition for e. The function X : S — > Z(n), called a location 
invariant, assigns to each location a zone defining the conditions under which A 
can be in this location. 

A concrete state of A is a pair q = (s, v), where s G S and v G M" is a valuation 
such that V G X{s). The set of all the concrete states is denoted by Q. The initial 
state of A is z = 1, . . . , n. The states of A can change as a result of passing some 
time or performing an action as follows: the automaton can change from (s, v) 

to (s',v') on e € E (denoted by (s, z;) -^d (■s^^’0) iff e : s s', v € z, and 
v' = v[Y := 0] G T(s'); and can change from (s,z;) to {s',v') by passing some 
time 6 G 1R+ (denoted by (s,v) -^d {s',v')) iff s = s' and v' = z; -I- 6 G X{s). 
The structure Ed = {Q,q^,—^d) is the concrete dense state space of A. 

Besides the relation — defined above, other kinds of transition relations can 
also be introduced. For our purposes, we define the concrete {discrete) successor 
relation Q x E x Q as follows: for q,q' G Q and e G A, let g q' denote that 
q' is obtained from q by passing some time, performing the transition e G E, and 
then passing some time again. Formally, q q' iS {3qi,q2 G Q)(3(5i,^2 G IR+) 

q qi ~^d Q 2 ^d q' ■ The state q' is called a successor of q, whereas the 
structure Ec = {Q,q^,^) is called the concrete {discrete) state space of A. 

Let q G Q. A g-run of A is a finite sequence of concrete states qo ^ qi ^ 
q 2 ^ . . . where qo = q and Ci G E for each i < n. A state q' G Q is 
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reachable if there exists a g^-run and i S IN such that q' = qi. The set of all the 
reachable states of A will be denoted by Reach 

3.1 Models for Timed Automata 

Let PV be a set of propositional variables, and let 14 : Q — *■ 2^^ be a valua- 
tion function, which assigns the same propositions to the states with the same 
location, i.e., 14((s,r')) = 14 ((s','c 0 ) ^ ■ 

Definition 2. Let Fc = (<3,9°,— >) be the concrete (discrete) state space of a 
timed automaton A. A structure Me = {Fc,Vc) is called a concrete (discrete^ 
model of A. 

Since concrete state spaces (and therefore concrete models) of Timed Au- 
tomata are usually infinite, they cannot be directly applied to model checking. 
Therefore, in order to reduce their sizes we define finite abstractions, preserving 
properties to be verified. The idea is to combine into classes (sets) the concrete 
states that are indistinguishable w.r.t. these properties. 

Definition 3. Let Me = (14,14) be a concrete model for A. A structure M = 
(G, y), where G = {W,wq,M) is a directed, rooted, edge-labelled^ graph with 
a node set W, wq G W is the initial node, and V : W —*■ 2^^ is a valuation 
function, is called an abstract (discrete^ model for A if the following conditions 
are satisfied: 

— each node w GW is a set of states of Q and q^ G Wq; 

— for each w G W and q G w we have Vc{q) = V{w); 

— (iwi,W 2 G Reach{W))(ie G E) w\ ^ W 2 iff (dgi G Wi){3q2 G W 2 ) qi q 2 , 
where Reach{W) = {w GW \wC\ Reach yf 0}. 

The graph G is called an abstract state space of A, whereas its nodes are called 
abstract states. The abstract model M is complete iff {Vq G Q){3w G W) q G w. 

In what follows, we consider complete abstract models only. 

In the literature, abstract models generated for a dense semantics (i.e., de- 
rived from the concrete state space Fd) are usually considered. One of them are 
surjective models. Below, we provide their definition adapted for the discrete 
case: 

Definition 4. A model M = {G,V) for A, where G = {W,wq,^) , is called 
surjective iff 

(dwi,W 2 G Reach{W))(ffe G E) if W\ — > W 2 then iffq 2 G W2){3q\ G W\) qi — > q 2 - 

An example of surjective models are forward reachability (fr-) models, com- 
monly applied for reachability verification [6, 8, 14]. Reachability analysis on 
these models is usually performed on-the-fly, together with their generation [6] 



^ The edges are labelled with the names of transitions in E. 
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(notice that in the worst case the whole model must be generated) . The models 
can be further improved by applying various abstractions [8, 14]. 

Another class of abstract models considered in the literature are bisimulating 
(b-) models. These models are usually generated for the dense semantics [1, 20], 
but again their definition can be easily adapted also for the discrete one: 

Definition 5. A model M = (G, F) for A, where G = (W,wo,^); bisimu- 
lating iff 

{\/wi,W 2 € Reach{W))(f/e S E) if w\ — > W 2 then (Vgi € Wi){3q2 G W 2 ) qi — > 92 - 
Moreover, in [17], the following simulating (s-) models were introduced: 

Definition 6. A model M = (G, V) for A, where G = (IT, wq, simulating 

iff for each w GW there exists a non-empty re™’’ C w such that q^ G and 

(yw\,W 2 G Eeach(W))(Ve G E) if Wi W 2 then (Vgi G wl°'~)(3q2 G w™’') Qi 
92 • 

Both b- and s- models preserve reachability properties. 

3.2 Zones and Regions 

Finite abstract models built for Timed Automata use regions as states. 

Definition 7. Given a timed automaton A, let s G S, and Z G Z{n). A region 
R C S X IR" is a set of states R = {(s,^) | v G Z}, denoted by {s,Z). The 
region (s,0) is identified with the empty region. 

Let V, v' G IR” , Z, Z' G Z(n), and R,R' G S x Z{n). We define the following 
operations on zones and regions: 

— < ri' iff 35 e IR+ such that v' = v 6; 

— Z \ Z' is a set of disjoint zones s.t. {Z'j U (Z \ Z') is a partition of Z; 

— R \ R' = {(s, Z") \ Z” G Z \ Z'} for regions R = (s, Z) and R' = (s, Z')\ 

— Z[Y := 0] = {v[Y := 0] 1 e Z}- [F := Q]Z = {n ] v[Y := 0] e Z}; 

— Z /:= {v' gT£C\{3vGZ)v< v'}] Z /:= {v' G IR” ] {3v G Z) v' < ?;}. 

Notice that the operations fl, Z[Y := 0] and [Y := Q]Z preserve zones. 

These results together with the implementation oi Z\Z' can be found in [1, 20]. 

4 Pseudo-simulating Models 

In [20], the authors claim that minimal b-models, generated for the dense se- 
mantics, are often smaller than the corresponding fr- ones. Since s-models are 
usually smaller than the former, they could be better for reachability verifica- 
tion. However, in order to test reachability even more effectively, we introduce 
pseudo-simulating {ps-) models (which are never bigger than s- ones), and pro- 
vide an algorithm for an on-the-fly reachability verification. The idea behind 
the definition of ps-models consists in relaxing the requirement on the transition 
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Fig. 1. A ps- and s-model generated for the same case 



relation of the s-models, formulated for all the predecessors of each state (see 
Def. 6), such that it applies to one of them only. The selected predecessor needs 
to be reachable from the beginning state in the minimal number of steps. 

Before we give the definition, we need some auxiliary notions. For two nodes 
w, w' of G, let w ^ w' denote that there exists e G E s.t. w w' . A path tt in G 
is a finite sequence of nodes and edges of the form tt = wi ^ W 2 ^ Wk, 

with 6i G E for alH < fc (labels on the edges can be then omitted) . We say that tt 
is from wi to Wk- A path is of length k if it contains k edges. For a node w G W, 
the depth of w, denoted by dpt{w), is the length of a shortest path from wq to w 
in G if there is such, otherwise, the depth of w is assumed to be infinite. 

Definition 8. A model M = {G,V) for A, where G = (W, is pseudo- 

simulating iff for each w G W there exists a non-empty C w such that G 
Wq°’~, and 

{\/wi,W 2 G Reach{W)){\/e G E) if w\ W 2 , then there exists w G Reach(W) 
and h G El such that w W 2 and dpt{w) is minimal in the set {dpt{w') \ w' 
W 2 , for some h' G E}, and (*) (V(?i G {3q2 G rc™’') qi (? 2 - 

The following example shows a difference between s- and ps- models: 

Example 1. Fig. 1 presents a ps- and s-model generated for the same case. The 
cars of the classes are coloured; circles and straight lines are used for drawing the 
concrete model, while ellipses and arcs - for abstract ones. In the ps-model, the 
state of w™’’ does not need to have successors in w'ff'' . This, however, is required 
in the s-model, which results in creating two additional nodes w'l and w'^. 

Let M = (G, V), where G = (VF, wq, — *■), be a ps-model for A. A run p = q^ % 
qi ^ ^ qn of A is said to be inscribed in a path tt = wq ^ w\ ^ . . . ^ Wn 

in G, if qi G Wi for all i = 0, . . . , n. 

Denote all the edges w W 2 in G satisfying the condition (*) of Def. 8 by 
w w' . Moreover, let w ^ w' denote that there exists e G E s.t. w w' . Next, 

we characterise ps-models: 

Theorem 1. The following conditions hold: 

a) Each q^-run of A is inscribed in a path of G, 

b) For each w G Reach{W), there is n G TN and tt = wq ^ w\ ^ ... ^ Wn 
in G s.t. w = Wn, 
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Fig. 2. Relations between various kinds of models 



c) For each path tt = wq =k Wi =k . . . => there exists a q^-run p = ^ 

qi ^ qn of A inscribed in tt and such that qi € w™’’ for each i < n. 

A proof can be found in [18]. It it easy to see from the above theorem that the 
ps-models preserve reachability. 

Fig. 2 shows the relations between ps-models and some other well-known 
classes of models considered in the literature. A proof and an extended compar- 
ison, including also other classes of models, can be found in the full version of 
this paper [18]. 

5 A Minimization Algorithm for Ps-Models 

Ps-models can be generated using a modification of the well-known minimization 
{partitioning) algorithm [-5]. In order to give the algorithm, we introduce the 
following notions: 

By a partition 7T C 2*^ of the set of concrete states Q of A we mean a set 
of disjoint classes X Q the union of which equals Q. For a given partition II 
of Q, X,Y € 77 and e € if we introduce the functions: 

• pree{X, Y) = {x e X \ 3y gY : x y}; 

• poste{X, Y) = {y G Y \ 3x G X X y}. 

In order to generate ps-models, instead of a partition of Q, we use a d-cor- 
partition 77 C 2^5 x 2*^ x (IN U {oo}), defined as a set of triples of the form X = 
(X, X™’’, (7p7(A)), where 77 |i (i.e., the projection of 77 on the first component) 
is a partition of Q, and C X. By q G X we mean that q G X. Define 
X Y iS X Y. Moreover, we introduce 

. PreUX) = {YGn\ pree{Y,X) ^ 0}, Pren{X) = Prejj{X), 

• PostjjiX) = {YGn\ posteiX, Y) ^ 0}, Postn{X) = PosP„{X). 

A class X is reachable if there is a concrete state q G X which is reachable. 

Below, we introduce the notion of ps-unstability. Intuitively, a class is ps- 
unstable w.r.t. its successor P in 77 if there is no predecessor of Y with a minimal 
depth such that its cor contains only states with successors in (see also 

Fig. 3). 

Definition 9. Let II be a given d-cor -partition, and X,Y G II. 
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(a): ps - stable (b): ps- unstable 

Fig. 3. Ps-stability and ps-unstability 



• The class X is ps-unstable w.r.t. Y iff for some e G E we have pree{X, Y) ^ 

0, and for all h G E and all Xi G U such that Xi A Y and dpt(Xi) is 
minimal in {dpt{X[) \ X[ G PrenfY)} we have preh{Xf°^ ,Y‘^°'') X™’’; 

• n is ps-stable iff (G |i,T^ |i), where G |i= (7T is a ps-model 

with and dpt{X) satisfying Def. 8 w.r.t. X for each X G II. 

Example 2. Fig .^illustrates the notions of ps-stability and ps-unstability. Con- 
sider classes X,Xi,Y of a partition II with the components dpt as shown in the 
figure. In the part (a), both the classes X and X\ are ps-stable w.r.t. Y , since all 
the states of have successors in Y‘^°'^ , and X is the predecessor of Y with 
the minimal depth. In contrary, in (b) both the classes are ps-unstable w.r.t. Y , 
since its predecessor X does not satisfy the required condition. 

The minimization algorithm for ps-models is a modification of the algorithm for 
s-models [10]. It starts from an initial d-cor-partition 77o, in which the compo- 
nent dpt of the class containing is equal to 0 and its cor is the singleton 
{g°}, whereas for all the other classes X G IIq, dpt{X) = oo and X™’’ = 

X. Then, it constructs a minimal model = (G^j„,y), where G^j„ = 

(7T'**, ([q°], { 9 °}, 0), — >), is the reachable part of a ps-stable partition II ob- 
tained by a refinement of TTq, 77 ji is compatible with IIq ji (i.e., each class of 
TTo |i is a union of classes of 77 |i), and G ([g°], {g°}, 0). The algorithm is pa- 
rameterised by a non-deterministic function Split{X, II), defined for the classes 
X G n with dpt{X) fy 00 (the explanation for considering these classes only will 
be given later). The function refines 77 by choosing a class Y G 77 w.r.t. which X 
is ps-unstable, and then splitting either X, or a class X\ G II s.t. dpt{Xi) is min- 
imal in the set {dpt{X[) \ X[ G PrenfY)}, in order to make X ps-stable w.r.t. 

Y . Before defining the above function, we introduce another function dptn{X), 
defined for X G 77 ji, which is used for computing the component dpt{X) when 
a new class X is created. The function returns a value which is a possible depth of 
X, determined by the analysis of the classes Y G II for which there is e G 7? s.t. 
pree{Y,X) fy 0 (notice that the components dpt of the classes in a given step of 
the algorithm can differ from their depths in the model obtained when the algo- 
rithm terminates). More precisely, dptn{[q°]) = 0, dptn{X) = 1-1- min{dpt{V) \ 
V G n A pree{V,X) fy 0 for some e G 77} if there exists V G II and e G E 
such that pree{V,X) fy 0 and dpt{V) fy 00 , and dptn{X) = 00 , otherwise. For 
X,Y G n s.t. pree{X,Y) fy 0 and pr 6 e(X“’', F™’') fy X™’' for some e G E, 
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pseudo e-slable 
modify 



pseudo e-unstable semi e-unstable 

split (X, 3^“'dpt(X)) spUt dpt(Y)) 

and modify X*^” 



e— unstable 
split (X, 3^°'dpt(X)) 
and (Y,Y“'°' dpt(Y)) 



Fig. 4. The four cases of the function Sp 



we define also an auxiliary function Sp{X,Y,e,U), which splits X w.r.t. Y as 
follows (see also Fig. 4): 

1. Sp{X,Y,e,n) = {{X,preei,X^°-^,Y^n,dptn{X))} 

if X is pseudo e-stable w.r.t. {Y,Y^°'^ ,dpt{Y)), i.e., pree(Y“’’, yf 0; 

2. Sp{X,Y,e,n) = 

{(X \ X‘^°\pree{X, Y‘^°^),dptn{X \ X™’')), (X™’', X“^ dptn{X^°^))} if X 
is pseudo e-unstable w.r.t. F, i.e., pree(X“’', F“’’) = 0 A pree(X, F™’’) yf 0; 

3. Sp{X,Y,e,n) = {(X,pree(X“^F),dpMY)),(F“^F“^dp^^(F“;)), 

(F \ , Y \ F“’’, dptn{Y \ F™’’)))} if X is semi e-unstable w.r.t. F, i.e., 

pree(X™’’, F™’’) = p7’ee(X, F“’') = 0 A pree(X“’', F) yf 0; 

4. Sp{X,Y,e,n) = {{pree{X,Y),pree{X,Y),dptn{pree{X,Y))), 

(X \pree(X, F), X™’', dptn{X\pree{X, F))), (F“^ F“^ dptn{Y^°n), \ 
ycor^ F \ F“’’, dptn{Y \ F“'’)))} if X is e-unstable w.r.t. F, 
i.e., pree(X“’', F“’') = pree(X, F™’’) = pree(X“’’, F) = 0. 

Then, we define 

• Split{X, n) = {X} if X is ps-stable w.r.t. all F in 7T. 

Otherwise, a class F and a transition e G E are chosen, for which pree{X, F) yf 0 
and X is ps-unstable w.r.t. F, and then 

a) if dpt{Y) > dpt{X) + 1, then Split{X, U) = Sp{X, F, e, 77); 

b) if dpt{Y) < dpt{X) + 1, then we choose a class Xi s.t. for some h G E we 
have preh{Xi,Y) yf 0, preh{Xf°^ ,Y) yf X“’’ and dpt(Xi) = mm{dpt(X() | 
X( e Pre 77 (F)}, and Split{X, 77) = Sp{Xi, F, ft,, 77). 

Intuitively, if X is ps-unstable w.r.t. F and from the analysis of 77 of a given 
step we can assume that in the model obtained when the algorithm terminates 
X will be the predecessor of F of the minimal depth, then we apply to these 
classes the appropriate case of the function Sp. Otherwise, i.e., if dpt{Y) indicates 
that F has another predecessor with a depth smaller than dpt{X), we apply the 
function Sp to F and to its predecessor of a smallest value of dpt (see also Fig. 5). 
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(a); Apply to X and Y (b): Apply to Xj and Y 

Fig. 5. Two cases of the function Split{X , II) 



Example 3. Fig. 5 presents two cases of the function Split{X,II). Consider 
a class Y and its two predecessors X and Xi shown in the figure, and a step of 
the algorithm in which the components dpt of these classes are equal to the ones 
given in the picture. If in this step stability of X is checked, then the appropriate 
case of the function Sp will be applied to X and Y in the case (a), and to Xi 
and Y in the case (b). 

Notice that while applying the function Split to ([g°], {q°}, 0), cor of the class 
containing remains unchanged, which ensures that G always holds. 

The minimization algorithm for s-models maintains two sets stable and 
reachable, which contain the stable and reachable classes of 7T of a given step, 
respectively. Classes to be split are chosen from reachable. The algorithm ter- 
minates when the sets reachable and stable are equal. The algorithm for ps- 
models is similar. However, in this case, the modifications made to reachable 
in a step of the algorithm result in changing the components dpt of some classes. 
More precisely, if a class X is ps-stable w.r.t. all its successors, then it is added 
to the set stable, and all its successors Y - to reachable. Before adding Y to 
reachable we set dpt{Y) = min{dpt{X) + 1, dpt{Y)}. Then, the set reachable 
contains only classes with the components dpt different than oo (this explains 
why it is sufficient to have the function Split defined for such classes only). 
Moreover, if a class Y is removed from reachable, then dpt(Y) is set to oo. 

In order to generate ps-models more effectively, the set reachable can be 
replaced by a list reachable sorted w.r.t. the depths of the classes. This makes 
the algorithm work in a BFS-like mode, and the case b) of the function Split 
never occurs. (More precisely, in a BFS like behaviour of the algorithm, the case 
b), i.e., ps-unstability of a class X w.r.t. a class Y with dpt{Y) < dpt{X) + 1, 
can occur only when Y is the initial class. This, however, can be avoided as well, 
which is explained later). 

The models obtained this way are usually smaller than the ones we get when 
classes to be split can be chosen in an arbitrary order. 

Example 4- Fig. 6 shows an influence of the order in which classes to be split 
are chosen from 7T, on the size of the generated model. Consider X , Xi G II 
and a step of the algorithm in which components dpt of the classes are equal to 
ones given in the picture. In the case when ps-stability of the class Xi is checked 
before adding X to the list reachable, the class is found ps-unstable w.r.t. Y, 
and due to dpt{X) = oo, the function Sp is applied to X\ and Y . In a further 
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not in reachable 



dpt(Xj)=4 dpt(X)=oo dpt(Xj)=4 dpi(X)=3 dpt(Xi)=4 dpi(X)=3 | dpi(Xi)=4 dpl(X)=3 




step 1 step 2 step 3 ' BFS-like behaviour 

Fig. 6. A difference between ps-models obtained when classes to be split are chosen 
in two different orders 



step, ps-stability of X is checked, and since at this step dpt{X) satisfies the 
condition dpt{X) < dpt{Xi), the function Sp is applied to X and Y. The above 
process is shown on the left-hand side of the picture. On the other hand, if the 
algorithm works in a BFS-like mode, ps-stability of the predecessor of Y with the 
minimal depth is always checked first. This prevents unnecessary partitionings. 

Notice that in spite of the algorithm operating in the BFS-like mode, in 
the case when ps-stability of a class X w.r.t. its successor Y = ([g°], {g°}, 0) 
is checked, it can be impossible to find a predecessor Xi of Y which satisfies 
the condition pre(X^°^, y™’’) = X™'^, and the case b) of the function Split can 
occur. However, it is easy to see that partitionings in this case are not necessary, 
since they do not influence the reachability information. The problem can be 
easily solved by adding a fictitious self-loop F => F, which makes the initial 
class its own predecessor of the minimal depth satisfying the condition (*) of 
Def. 8. 

Due to the BFS-like behaviour of the algorithm, on-the-fiy reachability anal- 
ysis is possible. The process of generating a model can be stopped as soon as 
a class X satisfying a tested property is added to reachable, since in this case 
we have a finite path tt := ([g°], {g°}, 0) ^ X, which proves reach- 

ability of a state q G X. 

The pseudo-code of the algorithm for generating ps-models, enabling on-the- 
fiy reachability analysis, is presented in Fig. 7. The termination of the algorithm 
follows from the termination of the algorithm for s-models. 

6 Implementation for Timed Automata 

In order to implement the above algorithm for Timed Automata, we have to 
define an initial d-cor-partition IIq such that Uq 1 1 is a partition of the concrete 
state space Q for a given automaton A, and to implement the functions prCe, 
Pre and Post. Since abstract models for Timed Automata usually use regions as 
states, we need to define ilo and the above functions to satisfy this requirement. 
Therefore, as an initial d-cor-partition of Q we can assume a set of classes whose 
first components are regions corresponding to locations of the automaton and 
invariants associated with them. Cars of all the classes besides the initial one are 
equal to their first components, and their depths are set to oo. Cor of the initial 
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1. n := 77o; reachable := {([q°], {<?°}, 0)}; stable := 0; 

2. while (3 X e reachable \ stable) do 

3. begin 

4. C^:= Split{X,n)- 

5. if (C- = {X}) then 

6. begin 

7. stable := stable yj {X}\ 

8. for Y G Postn{X) do dpt{Y) ~ min{dpt{X) + l,dpt{Y)y, 

9. reachable := reachable U Postn{X); 

10. if (3Y e Postn{X)) s.t. Y \= p then return “YES”; 

11. end; 

12. else 

13. begin 

14. Yx := {Y € n \ Y has been split or y“°’’ changed }; 

15. for Z G {Y G C^\ q° ^Y} do dpt{Z) ;= oo; 

16. stable ;= stable \ PreniYx) \ Yx', 

17. reachable := [reachable \ Yx) U {Y G \ q° G Y}; 

18. n := [n \Yx) u c^', 

19. end; 

20. end; 

21. return “NO”; 

Fig. 7. A minimization algorithm for an on-the-fly reachability analysis on ps-models 



class is a singleton {g°}, and its depth is equal to 0. Formally, we assume Uq = 
{((sMR!^nX(sO)),{gO},0)}U{((s,Z),(s,Z),oo) A Z = nX(s)}. In 

order to deal with the algorithm, for regions R, R' we define [R \ R' , R \ R') = 
{(i?", i?") I i?" G i? \ i?'}. Then, for a given d-cor-partition U, [s, Z), [s', Z') G 

Qj Z 

7T|i and a transition e : s s' G E ■we introduce [11]: 

- pree[[s, Z), [s', Z')) = [s,Z D (([Y := 0](Z' / n I[s')) 0 z 0 X(s)) /)); 

- for e : s' s, Pre}j[[[s, Z), [s, Zi))) 

= {((s', Z'), [s', Z'^)) Gn\z' n (([Y := 0][Z y n x(s)) 

n z n I[s')) y) yf 0}; for e : s s', Post}j[[[s, Z), [s, Zi))) 
= {[[s',z'),[s',z[))GiTl[[zy n I[s) n z)[y -.= oj) y n z' ^ 0}. 

Notice that while computing Z y or Z y for the zone Z of a region (s, Z), we 
need to ensure that the invariant for the location s is satisfied. Due to that, in the 
above operations zones are intersected with invariants for appropriate locations. 

7 Experimental Results 



We have implemented our algorithm (as a component of the tool Verics [9]) in 
the C++ programming language, and run it on the machine equipped with 772 
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Fig. 8. Experimental results for various examples 



MB of main memory and the Linux operating system. We have considered three 
examples: the well-known Fischer’s mutual exclusion protocol, the CSMA/CD 
protocol used by networking machines to control the use of a common bus, 
and the railroad crossing system (RCS) [1, 13], consisting of three automata 
representing its components, and an additional automaton of a specification 
for the property “whenever the gate is down, it is moved back up within K 
seconds for some AT” . The property is violated when an “erroneous” state of the 
specification is reachable, which holds for K < 700. The sizes of our models are 
compared with the sizes of fr- and b-models, obtained using the tool Kronos [23]. 
We provide the results only for the cases in which the whole model must be 
generated. In the table in Fig. 8, the column A gives the size of the automaton, 
forw shows the size of the fr-model generated without any abstractions, and 
-ai-ax - with the inclusion and extrapolation abstractions added [8]. The cases 
when memory was exhausted are denoted by ★. 

The preliminary results show that the reduction in the size of the model 
can be substantial. Although the total number of edges of ps-models can be 
relatively large (our transition relation implies that for a given class all the 
classes which can be reached by passing some time, performing an action and 
then passing some time again are considered as its successors, whereas in b- 
models, for instance, only immediate time-successors are taken into account), the 
number of states of ps-models is smaller than of corresponding fr- and b- ones, 
which is most important for checking reachability. However, the requirement 
of convexity often results in generating too many classes while partitioning, 
since computing complementations (differences) of classes is exponential in the 
number of clocks. No solution which allows to avoid this operation has been 
found so far for s-models as well as for the discrete semantics. Our experiments 
show that in many cases the efficiency of the method is able to overcome the 
above problem, but definitely there are also examples in which this drawback is 
superior. Therefore, the present approach is expected to be even more efficient 
as soon as the problem of avoiding complementations is solved. 

The comparison of our approach with other methods of reachability analysis 
for Timed Automata shows that our result can be considered as quite important 
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for proving correctness (i.e., for showing that no state satisfying a tested property 
is reachable, which requires exploring the whole model). The paper [3], which 
compares several results of proving reachability for a mutual exclusion protocol 
by various tools (exploiting both symbolic and non-symbolic methods), shows 
the superiority of the BMC approach. Unfortunately, that paper contains no 
results for proving correctness, but the implementation of [21], which seems to 
be even more efficient than the one of [3], is able to deal in this case with 2 
processes only, whereas it is possible to generate abstract models for more. Since 
our ps-models can be smaller than other abstract models shown in the literature, 
it seems they can be better for this kind of verification. 

8 Conclusions and Further Work 

The idea of using b-models for testing reachability comes from the paper [20], 
in which it is said that minimal b-models could often be smaller than the corre- 
sponding fr- ones. Since our ps-models are usually smaller than b- ones, we use 
them instead of the latter, combining this approach with a discrete semantics (a 
generalization of the semantics used for fr-models) , which is sufficient for check- 
ing reachability, and can lead to better results. We provide the modification of 
the partitioning algorithm, enabling on-the-fly reachability analysis. Moreover, 
in many cases the simple “yes/no” answer for a reachability (or safety) question 
is not sufficient, but also the sequence of transitions leading to a state is of our 
interest. Due to a BFS-like behaviour of the algorithm, our method allows to 
answer the above question as well. 

The preliminary experimental results show that our method can be very 
efficient. However, the main drawback consists in complementation of classes 
during partitioning. Therefore, our further research will concentrate around the 
above problem. 
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Abstract. The main contribution of the paper consists in showing that 
the BMC method is feasible for ACTL* (the universal fragment of CTL*) 
which subsumes both ACTL and LTL. The extension to ACTL* is ob- 
tained by redefining the function returning the sufficient number of ex- 
ecutions over which an ACTL* formula is checked, and then by com- 
bining two known translations to SAT for ACTL and LTL formulas. 
The proposed translation of ACTL* formulas is essentially different from 
the existing translations of both ACTL and LTL formulas. Moreover, 
ACTL* seems to be the largest set of temporal properties which can be 
verihed by means of BMC. We have implemented our new BMC algo- 
rithm for discrete timed automata and we have presented a preliminary 
experimental results, which prove the efficiency of the method. The for- 
mal treatment is the basis for the implementation of the technique in the 
symbolic model checker y^erics. 



1 Introduction 

Model checking is considered as one of the most spectacular practical applica- 
tions of the theoretical computer science in verification of concurrent systems. 
The main idea of model checking consists in representing a program as a labeled 
transition system (model), representing a specification as a temporal formula, 
and checking automatically whether the formula holds in the model [10]. Unfor- 
tunately, the practical applicability of model checking is strongly restricted by 
the state explosion problem, which is mainly caused by representing concurrency 
of operations by their interleaving. Therefore, many different reduction tech- 
niques have been introduced in order to alleviate the state explosion. The major 
methods include application of partial order reductions [4, 21, 22, 28], symme- 
try reductions [15], abstraction techniques [12, 11], BDD-based symbolic storage 
methods [19], and SAT-related algorithms [2, 6, 9, 14, 18, 20, 23, 24, 25, 26, 29]. 

* Partly supported by the State Committee for Scientific Research under the grant 
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Bounded model checking (BMC) based on SAT (satisfiability checking) meth- 
ods has been introduced as a complementary technique to BDD-based symbolic 
model checking for LTL [6, 7]. The main idea of bounded model checking for 
LTL is to look for an execution of the system of some length fc, which is a coun- 
terexample for a tested property. If no counterexample of length k can be found, 
then k is increased by one. The efficiency of this method is based upon an ob- 
servation that if a system is faulty, then often only a (small) fragment of its 
state space is sufficient for finding an error. The above observation has been 
experimentally proved [6, 7, 23, 25]. 

The main contribution of our paper is an extension of the method BMC to 
verification of the branching time properties expressible in ACTL* (the universal 
fragment of CTL*) [10], which subsumes both ACTL and LTL. ACTL* seems 
to be the largest set of temporal properties which can be verified by means of 
BMC. Moreover, we have implemented our new BMC algorithm for Discrete 
Timed Automata [8] and proved its efficiency by performing several experiments 
for the standard mutual exclusion protocol. The proposed BMC algorithm for 
ACTL* is going to be a new module of the tool -y/erics [13]. 

The main idea of our new BMC method for ACTL* consists in combining 
a translation of a model M to several symbolic paths, which can start at arbi- 
trary states of the model, with a translation of the negation of an ACTL* for- 
mula (fi. The latter translation is obtained by redefining the function fk of [23] 
returning the sufficient number of executions over which ip is checked, and then 
by combining two known translations for ACTL [23] and LTL [6]. This is ob- 
tained by applying the LTL translation for all the LTL subformulas of (p, and 
the ACTL translation for all the state subformulas of (p, i.e., the formulas which 
begin with a path quantifier. 

The rest of the paper is organized as follows. The next section contains the 
discussion of the related work. Then, in section 3 the bounded model checking for 
ACTL* is presented. The implementation of BMC for Discrete Timed Automata 
is described in section 4. Experimental results are presented in section 5. The 
last section contains final remarks. 

2 Related Work 

Our paper shows for the first time an extension of the BMC method based 
on SAT procedures to verification of all the properties expressible in ACTL*. 
It builds upon the results of [23], where an approach to applying BMC for 
ACTL was described. The idea of BMC for a temporal logic is taken from [6, 7]. 
The BMC method has been also applied for LTL model checking of 1-safe Petri 
Nets [18] and Timed Automata [2], for TACTL model checking of Timed Au- 
tomata [25, 24], for checking reachability of Petri Nets [17] and Timed Au- 
tomata [20, 26, 29] , for past LTL model checking of digital circuits [3] . A moti- 
vation for considering the universal fragment of CTL* can be found in [16, 22]. 
The discrete timed automata were considered by several authors [8, 5] because 
the model checking of such automata is a very challenging and important task. 
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3 Bounded Model Checking 

In this section we describe our techniques for ACTL* bounded model checking. 
First, we give some background and notational conventions that are used in the 
rest of the paper. Then, we describe the bounded semantics for ECTL*. Finally, 
we show the reduction of the BMC method to propositional satisfiability for 
ACTL* formulas. 

Since the paper is an extended abstract, the intuitive explanations of the 
introduced definitions and proofs are omitted, but they can be found in [30]. 



3.1 Background 

The specification of a system is expressed in ACTL* (the universal fragment of 
CTL* ) [10]. ACTL* is defined as the subset of CTL* formulas [10] that are 
in negation normal form (NNF)^ and contain the universal path quantifier (A) 
only. ECTL* is defined in the same way, but only the existential path quantifier 
(E) are allowed. We consider the following operators: the next state (X), the 
eventually (F), the always (G), the until (U), and the release (R, dual to U). 

The implementation of a system is described as a Kripke structure M = 
{S,^, s°,V), where ^ is a finite set of states, ^ x S' is a total binary 
(successor) relation on S (i.e., each state has at least one — s-successor) , is 
an initial state and V : S — > 2^^ is a valuation function such that true G V(s) 
for all s G S, where VV is a set of propositional variables containing the symbol 
true. 

We use Kripke structures as models in order to give the semantics of 
the logic CTL*. For the rest of the paper we consider only Kripke struc- 
tures for which we have a Boolean encoding. We require that S C {0, 1}", 
for n = [Zog2(|5'l)], and that each state can be represented by a vector of 
state variables w = (w[l], . . . ,w[n]), where w[z] are propositional variables 
for i = l,...,n. Moreover, we define the following propositional formulas: 
/s(w) := Ar=i lit{s[i],'w[i])^ for s = (s[l], . . . , s[n]) G S, T(w,w') such that for 
every interpretation of states variables Val G {0, 1}*^^: Val satisfies T(w, w') iff 
(Val(w), Val(w')) G^ p(w) such that for every interpretation of states vari- 
ables Val G {0,1}“^^: Val satisfies p(w) iffp G V(Val(w)) for p G W, iL(w,w') 
:= Ar=i(w[ i\ <-> w'[i]), Lkj{l) '.= T(wfej-,Wij). For an infinite sequence of 
states 7T = (so, si, ■ • ■) we define 7r(i) = Si and tt® = (s^, s^+i, . . .) for i G N. An 
infinite sequence of states tt is a path if (s^, s^+i) G— ^ for all i G N. 

^ A CTL* formula is in negation normal form if the negations can occur in front of 
the propositional variables only. 

^ Let 5V be a set of the state variables containing the symbols true and false, and 
let SiF be a set of propositional formulas built over 5V. lit : {0, 1} x 5V — > SlF is 
a function defined as follows: lit{0,p) = -^p and lit{l,p) — p. 

^ Val : 5V — > {0, 1} is an interpretation for state variables and Val : 5V®® ^ {0, 1}" 
is its extension for vectors of state variables such that Val(w[l],...,w[n]) = 
(VaZ(w[l]),...,VaZ(w[n])). 
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Definition 1. Let M he a model, s € S be a state, tt he a path, ai, 02 he state 
formulas and (3\, P 2 be path formulas. M,s |= a\ denotes that ai is true at the 
state s in the model M. M,tt |= /3i denotes that Pi is true along path tt in the 
model M. AI is omitted, if it is implicitly understood. The relation |= is defined 
inductively as follows: 

S \= p iff p G V(s), TT 1= /3l V /?2 iff TT ^ /3l or TT 1= P 2 , 

s 1= ~^ai iff s ^ oi, TT 1= /3i A /?2 iff TT 1= /3i and tt \= P 2 , 

s 1= E/3i iff 3tt (7t(0) = s and tt |= Pf), tt |= X/3i iff \= Pi, 
s 1= oi V 02 iff s 1= cti or s ^ 02 , tt |= F/3i iff (3m > 0)7 t”* |= Pi, 

s 1= oi A 02 iff s 1= oi and 5 ^ 02 , tt \= G/3i iff (Vm > 0) tt™ \= Pi, 

TT \= ai iff 7 t( 0) 1= oi, 

TT ^ P 1 TIP 2 iff (3m > 0) (tt™ 1= P 2 and (Vj < m) tt^ |= Pi), 

TT ^ P 1 HP 2 iff (Vm > 0) (tt™ 1= P 2 or (3j < m) tt^ |= Pi), 

Definition 2 (Validity). A CTL* formula (p is valid in M = ((/S', s°), V) 

(denoted AI \= p) iff AI, s^ ^ p, i.e., p is true at the initial state of the model AI . 

Let AI be a given model and "0 be a given ACTL* formula. Our aim is to 
show that p does not hold in AI (i.e., AI ^ ip), which means to show that 
AI 1= (notice that -ip is an ECTL* formula). To solve this problem we 
use the bounded model checking method. In order to deal with the bounded 
model checking method for ACTL*, we have to define the bounded semantics 
for ECTL*, which allows us to interpret the formulas over a fragment of the 
considered model only. 

3.2 Bounded Semantics of ECTL* 

In order to define the bounded semantics for ECTL* we have to introduce the 
notations of k— paths, loops, and k— models. 

Let AI = (S, — s°, V) be a model and k G N+"‘. A k-path tt^ = (soj ■ • ■ , Sfc) is 
a finite sequence of states such that (si, Si+i) G— > for each Si G S and 0 < i < k. 
For a fc— path TTk = (sq, . . . , Sfc) let TTi^k = (si, . . . , Sk) for each i G {0, . . . , k}. 
Though a fc— path is finite, it still can represent an infinite path if there is a loop 
from the last state of the fc— path to any of the previous states. A fc— path TTk 
is a loop if {TTk{k),TTk{l)) G^ for some 0 < I < k. The k— model for AI is 
a tuple Mk = {S,Pathk,s^ ,V), where Pathk is a set of all the fc— paths of AI. 
Note that, the set of all the fc— paths determines the transition relation of AI in 
an unambiguous manner. Moreover, the set Pathk is finite. 

The bounded semantics is defined over a fc— model Aik. The definition of the 
bounded semantics of the temporal operators depends on whether a considered 
fe— path of Aik is a loop or not. In order to distinguish which of the fc— paths are 
loops we define the following auxiliary function. 

^ N+ = {1, 2, . . .} is the set of positive natural numbers. 
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Definitions. Let M = (S', be a model, Mk = {S, Pathk, ,V) be 

a k— model for M and iTk € Pathk be a k—path. A funetion loop : Pathk —>■ 

2{o....,fe} 

is defined as: loopiiTk) = {I \ I < k and {iikik), TTkil)) 

Definition 4 (Bounded Semantics). Let Mk be a k— model, oi, 02 be state 
formulas and Pi, P2 be path formulas. Mk,s |= a denotes that a is true at the 
state s of Mk- Mk,TTo,k H P denotes that P is true along k—path of Mk- Mk 
is omitted if it is implicitly understood. The relation ^ is defined inductively as 
follows: 

s\= p iff p € V(s), s ^ oi V 02 iff s ^ oi or s ^ 02, 

s \= ^p iS p ^ V{s), s ^ oi A 02 iff s ^ oi and s |= 02, 

s 1= E/3i iff 3 TTk e Pathk (7Tfe(0) = s and irg^k h /?i), 

TTm.fc h Oil iff TTk{m) |= Ol, 

'^m,k Pi V P 2 iff Pi Or k /^2, 

'^m.k Pi A P 2 iff klYn.k Pi and TTjYi k 1= P2-! 

TTm.fc h X/3i iff {-Km+I.k |= Pi and m < k) or {3uzioop{-nk) ^i,k h Pi and m = k), 
'^m.k T Pi iff 1= Pi) or '^i,k /^i), 

'^m,k 1= G/3i iff 3;g;gop(7rfc)'^mm(m,i)<i<fc H Pli 

'^m,k PAd P 2 iff3m<z<A: {j^i.k ^ P 2 and '^rn<j<i '^j,k h Pi) or 3/G/oop(-7rfc) 

'^m,k 1^ /5iR/? 2 iff (3/^/oop(7rfc)'^?7im(m,/)<z<fc '^i,k P 2 ) 01 

{'^i,k Pi S'lld '^rn<j<i ‘^j,k /^2)) Or ^l^loop{ 7 Zk) 

(3/<2<m i'^i.k ^ Pi and '^Tn<j<k'^j,k ^ P 2 and j^k ^ /?2))- 

Definition 5 (Validity for Bounded Semantics). An ECTL* formula <p is 
valid in a k-model Mk (denoted M \=k ^p) iff Mk, ^ p>. 

The main theorem of this section states that the bounded semantics is equiv- 
alent to the unbounded one, which means that the model checking problem 
(M \= (fi) can be reduced to the bounded model checking problem (M \=k <p). 

Theorem 1 ([30]). Let M = (S, s°, V) be a model, ip be an ECTL* formula. 

Then for some k < (|M| • 21 ''’!)^, M \= p iff M \=k p. 

The above theorem guarantees the completeness of our BMC method. De- 
spite of the fact that the bound from the theorem is very large and therefore 
quite impractical, it is often the case that some essentially smaller bounds are 
sufficient. This is, in fact, the reason that the BMC method is sometimes very 
efficient. 
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3.3 Translation 



In this subsection we show the reduction of bounded model checking for 
ACTL* to propositional satisfiability. We use the same general algorithm BMC 
as for ACTL and TACTL [23, 25]. We start with introducing a definition of 
a function fk determining the number of fc-paths, which is sufficient for checking 
an ECTL* formula in a A— model Mk- 



Definition 6. Define a function fk : TOTZM.* 
fk{p) = fkhp) = 0, where p G VV, fk(Pa) = 

fk{a V fi) = max{fk(a),fk(fi)}, fk(Ga) = 

fk(a A /3) = fk(a) + fk{P), fk{a\jp) 

fk(Ea) = fk{a) + I, /fc(Xa) = 

fk{aR/3) = (fc + 1) • fk{/3) + fk{a). 



N as follows: 
fk{a), 

= (* + !)• fk{a), 

= k ■ fk{a) + fkiP), 
-- fk{a), 



In order to handle an arbitrary ECTL* formula p the function fk is successively 
applied to the subformulas of (p. It is easy to see that the value of fk depends 
on the number of the existential quantifiers, and the temporal operators U and 
G appearing in ip. 

Although there exist formulas for which the value of fk is exponential w.r.t. 
their size, in practice one uses the formulas for which the number of sufficient fc- 
paths is reasonably small. Moreover, it is very important to mention that the 
actual depth reachable in the model is obtained by a combination of the con- 
sidered fc— paths, and it is at most equal to fc * fk{p), but, more importantly, it 
is never smaller than k * n, where n is the number of the existential quantifiers 
followed by G, U or R occuring in p. Notice also that the function fk returns 1 
for all the LTL formulas, which means that all LTL formulas are checked over 
one symbolic path®. 

Given a model M, an ECTL* formula p and a bound fc, we shall construct 
a propositional formula [M, p]k which is satisfiable iff M \=k p- We define a sym- 
bolic k—path as a finite sequence (wq, . . . , Wfc) of vectors of state variables. To 
construct [M,p]k, we first define a propositional formula that con- 

strains fk{p) symbolic fc-paths to be valid fc-paths of Mk- Then, we translate 
the ECTL* formula pto a, propositional formula that constrains the sets of fk{p) 
symbolic fc-paths to satisfy p. 

Definition 7. (Unfolding of the Transition Relation) 

Let M = (S', — V) be a model, s G S be a state, k be a bound and p be an 
ECTL* formula. The propositional formula [M‘^’’^]k is defined as follows: 

fkiv) k-l 

[AT^’^jfe := Is(wo,o) A f\ f\ T(w,,^, w*+ij) 

j=l i=0 

where Wq^o o,nd Wij are vectors of state variables for i = 0, . . . , fc. 

® LTL formulas are formulas of the form Aa, where a does not contain any path 
quantifiers. 
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The translation of an ECTL* formula ip into the propositional formula 
differs w.r.t. fc-paths that are and that are not loops. In order to distinguish which 
of the fc-paths are loops we use the propositional formulas Furthermore, 

at each state Wm,n within a fc-path of index n, all the state subformulas of 
a formula being translated to the /c-path n of the form E/3 (where /3 is a path 
formula) are translated to the fc-paths that start at that state, i.e., beginning 
with wo,i = MVm,n for all* e {1, ... , fk{^)}. 

We use where 0 < m < k and 0 < n < /fc(</j), to denote the 

translation of an ECTL* formula ip at to a propositional formula. 

Translation of an ECTL* formula. Let a, /3 be path formulas. 



bp\'r' := := V bl/”’”!, 

[E(a)l/"’"^ := (^(Wm.n.wo,,) A V [a]j"“^’twAere 

Fki.^) = ■ Jk{p)} \ {n} 

,Kn] / if m<k 

[ VjLo A [a]fc ), otherwise 

Pali"'”' V A Vr-iWE'”'). 

:= VLo(iAn(0 A 

IoUAIL"-"' := VL.„ (Plf"' A A'iwfj V vLo hui) A 
V”,([Alf"' A A*.„Wf”' A ASlolf"')). 



loRAli"'"' := Vf.o(iA»(0 A A'.™„(,.„, [Air”') V 



2,n] \ 



A V yloiLkAi)^ 

li,n] 
k 

[ 0 . 0 ] , r. , , r , . r. „„ .0, 



A Aj. 






We define as [p]].’ and [M,p]k as [p]Mk A ]k- 

Correctness of our translation is guaranteed by the following theorem. 

Theorem 2 ([30]). Let M be a model, k be a bound, and p be an ECTL* for- 
mula. Then, M \=k p iff [M,p]k is satisfiable. 



4 Implementation of BMC for Discrete Timed Automata 

In this section we show how BMC can be applied to verification of Discrete 
Timed Automata, that are used for representing concurrent systems. 
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4.1 Discrete Timed Automata 

This subsection gives a definition of discrete timed automata and introduce two 
bisimilar models for such automata, a concrete model and an abstract model. 

We start with introducing some auxiliary notation. Let X be a finite set of 
variables, called clocks. A clock valuation is a function u : X ^ N, assigning to 
each clock x a natural value v{x). The clock valuation which assigns the value 0 
to all the clocks is denoted by The set of all the valuations is denoted by 
N", where n is the number of clocks. For a subset Y of X by v\Y := 0] we mean 
the valuation v' such that Vx S Y, v’{x) = 0 and Vx S X \ T, v'{x) = v{x). For 
5 G N, X + (5 denotes the valuation v” such that Vx G X, v”{x) = v{x) + 6. 

The set <Fx of clock constraints over the set of clocks X, for x G X, c G N, and 
~ G {<, <, =, >, >}, is defined inductively as follows: iIj := x ^ c \ tjj A 'ip . 

A clock valuation v satisfies the clock constraint ip G iFx, if 



X 1= X ~ c iff v{x) ~ c, v\=ipAip'iSv\=ip and v \= ip' 

For each ip G 'I'xhy p{ip) we denote the set of all the clock valuations satis- 
fying Ip, i.e., p{ip) = {u G N" I V 1= Ip}. Now, we are ready to define a discrete 
timed automaton. 



Definition 8. A discrete timed automaton A is a 6-tuple {E, L,l^, 
where E is a finite set of actions, L is a finite set of locations, l^ G L is 
an initial location, E C L x E x Ex X 2^ x L is a transition relation, 'K is a finite 
set of clocks, and I : L — > Ex is a state invariant function. 

Each element e of E is denoted by e \= I i\ This represents a transition 
from the location I to the location I' on the input action a. Y C X is the set 
of all the clocks to be reset with this transition, whereas ip G Ex is the enabling 
condition for e. 

Given a transition e := I If we write source{e), target(e), action(e), 

guard(e) and reset(e) for s, sf a, ip and Y, respectively. 

The semantics of the discrete timed automaton is defined by associating 
a transition system with it. 



Definition 9 (Concrete Model). A concrete model for the discrete timed 
automaton A = (if, L, if, X, I) is a pair Mj^ = ((Q, ^c, 9 *^), V), where Q = 
L X N" is a set of the concrete states of A, = (/°,u°) is the initial state of A, 
— Q X Q is a total binary (successor) relation on Q defined by action- and 
time-successors as follows. Let a G E and <5 G N. 



1. (l,v) — iff there is a transition I I' £ E such that v \= ip and 



v' = v[Y := 0] and v' |= II(Z')) 
<5 



2. {I, v) >c (^^ v') iff I = I' and v' = v -\- S and v' |= I(Z'). 

V : Q — > 2^^ is a valuation function such that true G V{q) for all q G Q. 
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Notice that the set of all the concrete states of A is infinite. Since our aim is 
to translate the model checking problem for discrete timed automata and prop- 
erties expressed in ACTL* logic to the SAT-problem, we have to define a finite 
abstraction of the concrete model which preserves ACTL*, namely an abstract 
model based on the region graph [1]. 

Before we give a definition of an abstract model, we introduce some auxiliary 
notations. Let 'f' C be a non-empty set of clock constraints over X, Cmax be 
the largest constant appearing in a constraint of any enabling condition used 
in the transition relation if or in a state invariant of A. Moreover, let n be the 
number of the clocks of A. 

Definition 10 (Equivalence of Clock Valuations). For two clock valua- 
tions V and v' in N", v v' iff for all x G ^ the following condition is met: 
(v(x) > Cmax and v'{x) > Cmax) or (v(x) < Cmax and v'{x) < Cmax and 
v{x) = v'(x)). 

It is easy to see that the relation ~ is an equivalence relation on the set of 
all the clock valuations for a given discrete timed automaton. 

The equivalence classes of the relation ~ are called zones and are denoted 
by Z and Z'. The set of all the zones is denoted by Z(n). The zone Z^ = 

I (Va: S X) v(x) = 0} is called initial. A zone Z is final iff v{x) > Cmax 
for all V G Z and x G X. A zone Z is open if there is a clock x G X such 
that v{x) > Cmax for all v G Z. A zone Z satisfies a clock constraint if G 
(written Z \= ip) IS \/v G Z, v \= ip. Define the following operation on zones: 
Z[Y := 0] = {z;[y := 0] | w e Z}. 

Note that all the zones which are not open consist of one point only. 

Definition 11 (Time Successor). Let Z and Z' be two distinct zones. If Z 
is not final, then the zone Z' is the time successor of Z iff for each v G Z there 
exists 5 € N such that v 1- S G Z' and v S' G Z U Z' for all S' < S. If Z is the 
final zone, then the time successor of Z is the same zone Z. The time successor 
of Z is denoted by t{Z). 

Definition 12 (Action Successor). The zone Z' is said to be the action suc- 
cessor of Z by a transition e : I V G E iff Z \= ip and Z' = Z\Y := 0]. The 
action successor of Z is denoted by e{Z). 

A region is a pair {l,Z), where I G I and Z G Z(n). Note that the set of all 
the regions is finite. 

Now, we are ready to define an abstract model. 

Definition 13 (Abstract Model). An abstract model for the discrete timed 
automaton A = {E,L,l^ ,E,X,V) is a pair M = (S', — V), where S = I x 
Z{n), = (Z°, Z°) and — > C S x (if U {r}) x S is defined as follows: 

1. [l,Z) (V ,Z') iff Z' = c)Z), I = source{e), I' = target{e), and 

Z' \= I{1'), for eGE, 

2. {I, Z) ^ {I, Z') iff Z' h 1(0 and Z' = t{Z). 

V : S — >2^^ is a valuation function such that true G V(s) for all s G S . 
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4.2 Distinguishing Power of ACTL* 

Let M = (S, — s°, V) and M' = (S", — s'°, V') be two models. 

Definition 14 (Simulation [16]). A relation '^s C S x S' is a simulation 
from M to M' if the following conditions hold: 

1. s^ > 

2. if S'^s s', then V'(s') = V(s) and for every s'l such that (s',s() G— there 
is Si such that (s,si) and si si- 

Model M simulates model M' (M M' ) if there is a simulation from M to M' . 
Two models M and M' are called bisimilar if M M' and M''^g~^M . 

Theorem 3 ([16]). If M simulates M' , then 

— M, s^ \= g} implies M' , s'° |= g), for any ACTL* formula <p over VV . 

— M' , s'^^ ^ (p implies M, s*^ |= ip, for any ECTL* formula p over VV. 

Lemma 1. Let A be a discrete timed automaton, and let M be the concrete 
model for A and M' be the abstract model for A. Then, the models M and M' 
are bisimilar. 

Proof. Define the relation Q x S' as follows {l,v) '^g (l',Z) iS I = I' and 
V G Z. It is easy to check that the relation '^g is a simulation from M to M' 
and the relation is a simulation from M' to M. 



4.3 Implementation 

To implement our new BMC method for Discrete Timed Automata we have 
to encode both the transition relation of the abstract model of a considered 
automaton and an ECTL* formula by corresponding propositional formulas. 
The encoding of the formula ECTL* was discussed in the section 3. This section 
shows the encoding of the transition relation. 

The method is based on the discretization scheme which consists in repre- 
senting each region of the abstract model of A by one or more appropriately 
chosen representative states. 

Let A = {E, L, l'^, E, X, I) be a timed automaton with n clocks, and let Cmax 
be the largest constant appearing in a constraint of any enabling condition used 
in the transition relation E or in a state invariant of A. The discretized clock 
space is C” = {0, 1, . . . , Cmax + !}”• For any zone Z, its discretization is defined 
as Z = Z D C". A discretized zone is called a d—zone. Note that each zone is 
represented by only one representative. 

Let V G C" and <5 G N. Define w' = w0 <5 as: v'{x) = min{v{x) + 6, Cmax + !)• 
The operation 0 is defined in order to deal with discretizations of open zones. 

The Discrete Time Successor of Z, is the restriction of t{Z) to points in C". 
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Definition 15 (Discrete Time Successor). Let Z, Z' be two distinct d-zones. 
If Z is not_ final, then the d-zone Z' is the discr^e time successo£ of Z iff for 
each w G Z there exists 5 G N such that w © <5 G Z' and r; © 5' G Z U Z' for all 
S' < S. If Z is the final d-zone, then the disc£ete time successoi£o/ Z is the same 
d-zone Z. The Discrete Time Successor of Z is denoted by t{Z). 

Before we give the definition of the discrete action successors, we introduce 
the following operation on discretized zones: Z[Y := 0] = {v[Y := 0] | n G Z}. 

Definition 16 (Discrete Action Successor). Let Z, Z' be two d-zones. The 
d-zone Z' is said to be the discrete action successor of d-zone Z by transition 
e : s s' G E iff Z C- p{tp) D C" and Z' = Z[Y := 0]. The action successor 
of Z is denoted by e{Z). 

It is easy to see that the discretization preserves the time successor and the 
action successor. 

Now, we are ready to define a region graph for a Discrete Timed Automaton. 
This structure enables us to implement the bounded model checking problem 
for Discrete Timed Automata. 

Definition 17. A region graph for the discrete timed automaton A = {S , L, 
£’,X,I) is a finite structure IZQ{A) = (S',— >,s°), where S = {{l,Z) \ (l,Z) G 
L X Z{n)}, = {l^, Z'^) and — >C S x {E Li {r}) x S is defined as follows: 

— {l,Z) {I' T Z') iff Z' = e{Z), I = source{e), I' = target{e), and 

Z' Q p(l{l')yn C^,Jor eGE, 

- {I, Z) ^ {I, Z') iff Z' C p(I(/)) n C” and Z' = t{Z). 

The discretized model based on the region graph of A is defined as M = 
(TZQ{A),V), where V : S — > 2^^ with V{{l,Z)) = V{{l,Z)), where V is the 
valuation function for A. 

Since the^iiscretized model M is isomorphic with the discrete model M for 
A, we have M \=k p lA M \=k ip, for ECTL* formula ip. 

Now, we can construct a propositional formula [M,ip]k that is satisfiable iff 
M \=k ip. An implementation of [M, ip]k can be found in [30]. 

5 Experimental Results 

We provide experimental results for a well-known example, Fischer’s Mutual 
Exclusion Protocol (MUTEX) [27]. The components of the system modeled as 
timed automata are presented in Figure 1. The correctness of the protocol de- 
pends on the time constraints involved, but it is independent on the number 
of the processes. In particular, the following holds: ” Fischer’s protocol ensures 
mutual exclusion iff A < 6” . 
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Process 1 



Process 2 Variable X 



Fig. 1. Fischer’s Mutual Exclusion Protocol for two processes 



As the main contribution of the paper is the ACTL* translation, we have cho- 
sen the formulas for which both the number and the length of the paths grow with 
the number of components. Therefore, we have tested MUTEX for the following 
properties: ipi = A(F criticali — > XX{AF ^trying i)), 

ijj 2 = A {Fcriticali X . ^ . X (AF (\/"=2 AF^tryingi)), 

n 

Ip3 = A(F(A"^i tryingi) AF ^tryingi)) . 

n 

The first formula expresses that for each path if the process 1 reaches even- 
tually the critical section, then in the next two steps for each path the process 1 
will not eventually reach the trying section. The second formula expresses that 
for each path if the process 1 reaches eventually its critical section, then in the 
next n steps for each path at least one of the processes: 2 , . . . , n will not eventu- 
ally reach its trying sections or at none of the paths the process 1 will eventually 
reach its trying section. The third formula expresses that for each path if all the 
processes reach eventually their trying sections, then in the next n steps at least 
one of all the processes will not eventually reach its trying section for each path. 

It is easy to calculate (according to the definition of the function fk) that, 
we need 2, 3 and n + 1 (n is the number of processes) symbolic fc— paths 
in order to find counterexamples for ipi, ^2 and " 03 , respectively, i.e., to find 
witnesses for -tipi = F{F criticali A XX.(EGtryingi)), - 1^2 = E(Fcritzca/i A 
X . ^ . X (EG (/\”^2 tfUin-gi) AFGtryingi)) and -'ips = E(F(/\"^^ tryingi) A X . ^ . X 

n n 

Note that none of the formulas can be expressed in LTL or ACTL language. 
Since no other experimental results of SAT-related methods are available in the 
literature for the Discrete Timed Automata and properties expressed in ACTL*, 
in this paper we show only how our method works. 

We have performed our experiments on the IBM PC compatible computer 
equipped with the processor AMD Athlon XP 1800 (1544 MHz), 768 MB main 
memory and the operating system Red Hat Linux 9.0. 

In Tables from 1 to 3 we show the experimental results for MUTEX system 
and the properties ipi, ip 2 and respectively. The first column of these tables 
gives the number of components. The next two show the length and the number 
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Table 1. The property V'l 





BBMC 


BerkMin 


NoP 


k 


/fe ('*/’) 


variables 


clauses 


sec 


MB 


sec 


MB 


2 


7 


2 


4885 


13884 


0.2 


0.0 


0.0 


0.0 


10 


7 


2 


45155 


131044 


2.7 


7.6 


0.2 


0.0 


20 


7 


2 


76523 


222735 


4.2 


14.2 


0.4 


0.2 


50 


7 


2 


316237 


932008 


21.5 


63.5 


1.5 


43.0 


100 


7 


2 


1051863 


3122477 


92.0 


217.7 


5.7 


152.6 


150 


7 


2 


2208513 


6576018 


232.1 


469.3 


14.8 


300.2 


200 


7 


2 


3783013 


11283168 


422.0 


618.2 


30.0 


579.6 


220 


7 


2 


4530413 


13518828 


502.2 


804.7 


38.4 


683.1 



of the symbolic fc— paths. The 4th and the 5th column show the numbers of 
propositional variables and clauses generated by BBMC®, respectively. The 6th 
and the 7th show the time and the memory consumed by BBMC to generate the 
set of clauses. The next two columns give the time and the memory consumed 
by the SAT-solver BerkMin. 



Table 2. The property 'ijj2 





BBMC 


BerkMin 


NoP 


k 


fk{tp) 


variables 


clauses 


sec 


MB 


sec 


MB 


2 


7 


3 


7721 


22192 


0.3 


1.5 


0.0 


0.3 


3 


8 


3 


13098 


37739 


0.6 


1.3 


0.1 


20.4 


4 


9 


3 


20141 


58091 


1.0 


2.6 


0.2 


19.8 


5 


10 


3 


28365 


81966 


1.6 


4.3 


0.3 


21.2 


6 


11 


3 


38159 


110449 


2.2 


6.4 


0.7 


23.7 


7 


12 


3 


49631 


143864 


2.8 


8.5 


2.7 


25.7 


8 


13 


3 


63493 


184220 


3.9 


11.2 


142.8 


28.4 


9 


14 


3 


78688 


228591 


4.9 


14.3 


528.4 


39.2 



BBMC is our tool which generates a set of clauses encoding the model of a tested 
system and a tested property. 
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Table 3. The property V's 





BBMC 


BerkMin 


NoP 


fkidP) 


k 


variables 


clauses 


sec 


MB 


sec 


MB 


2 


2 


3 


2525 


7204 


0.1 


0.2 


0.1 


0.4 


3 


3 


4 


7301 


21111 


0.4 


1.0 


0.0 


0.0 


4 


4 


5 


16530 


48103 


1.2 


1.9 


0.1 


0.2 


5 


5 


6 


31381 


91740 


2.9 


5.3 


0.3 


0.2 


6 


6 


7 


53804 


157789 


6.1 


9.4 


1.0 


25.8 


7 


7 


8 


85755 


252076 


13.2 


15.8 


8.1 


31.2 


8 


8 


9 


130623 


384590 


26.1 


24.9 


169.6 


39.7 


9 


9 


10 


188517 


555863 


44.7 


38.1 


3013.2 


131.9 



6 Conclusion 

We have shown that the BMC method is feasible for the branching time logic 
ACTL*. Then, we have implemented our new algorithm for discrete timed au- 
tomata and presented preliminary experimental results, which prove the effi- 
ciency of the method. 

The solution presented in this paper differs from these of [23] and [6], which 
could only be applied to ACTL and LTL, respectively. Our method deals with 
the full language of ACTL*, which subsumes both the languages of ACTL and 
LTL. Moreover, ACTL* seems to be the largest set of temporal properties, which 
can be verified by means of BMC. The present translation is based on the re- 
fined function fk, returning the number of paths, which is necessary to check 
ACTL* formulas. The formal treatment is the basis for the implementation of 
the technique in the symbolic model checker y^erics. 



Acknowledgements 

The authors wish to thank prof. Wojciech Penczek for many useful comments 
and suggestions. 

References 

[1] R. Alur, C. Courcoubetis, and D. Dill. Model checking in dense real-time. Infor- 
mation and Computation, 104(l):2-34, 1993. 26 

[2] G. Audemard, A. Cimatti, A. Kornilowicz, and R. Sebastian!. Bounded model 
checking for timed systems. In Proc. of RT-TOOLS’02, 2002. 18, 19 

[3] M. Benedetti and Alessandro Cimatti. Bounded Model checking for Past LTL. In 
Proc. of TACAS’03, vol. 2619 of LNCS, Springer- Verlag, 2003. 19 



32 



Bozena Wozna and Andrzej Zbrzezny 



[4] J. Bengtsson, B. Jonsson, J. Lilius, and W. Yi. Partial order reductions for timed 
systems. In Proc. of CONCUR’98, vol. 1466 of LNCS. Springer- Verlag, 1998. 18 

[5] D. Beyer. Improvements in BDD-based reachability analysis of Timed Automata. 
In Proc. of FME’Ol, vol. 2021 of LNCS. Springer- Verlag, 2002. 19 

[6] A. Biere, A. Cimatti, E. Clarke, M.Fujita, and Y. Zhu. Symbolic model checking 
using SAT procedures instead of BDDs. In Proc. of DAC’99, 1999. 18, 19, 31 

[7] A. Biere, A. Cimatti, E. Clarke, and Y. Zhu. Symbolic model checking without 
BDDs. In Proc. of TACAS’99, vol. 1579 of LNCS. Springer- Verlag, 1999. 19 

[8] M. Bozga, O. Maler, and S. Tripakis. Efficient verification of Timed Automata 
using dense and discrete time semantics. In Proc. of CPIARME’99, 1999. 19 

[9] E. Clarke, A. Biere, R. Raimi, and Y. Zhu. Bounded model checking using satis- 
fiability solving. Formal Methods in System Design, 19(l):7-34, 2001. 18 

[10] E. M. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999. 
18, 19, 20 

[11] D. Dams, O. Grumberg, and R. Gerth. Abstract interpretation of reactive sys- 
tems: Abstractions preserving ACTL*, ECTL* and CTL*. In Proceedings of PRO- 
COMET’94. Elsevier Science Publishers, 1994. 18 

[12] C. Daws and S. Tripakis. Model checking of real-time reachability properties using 
abstractions. In Proc. of TACAS’98, vol. 1384 of LNCS. Springer- Verlag, 1998. 
18 

[13] P. Dembihski, A. Janowska, P. Janowski, W. Penczek, A. Polrola, M. Szreter, 
B. Wozna and A. Zbrzezny. -^erics: A Tool for Verifying Timed Automata and 
Estelle Specifications. In Proc. of TACAS’03, vol. 2619 of LNCS. Springer- Verlag, 
2003. 19 

[14] L. de Moura, H. Ruefi, and M. Sorea. Lazy theorem proving for bounded model 
checking over infinite domains. In Proc. of CADE’02, vol. 2392 of LNCS. Springer- 
Verlag, 2002. 18 

[15] E. A. Emerson and A. P. Sistla. Symmetry and model checking. Formal Methods 
in System Design, 9:105-131, 1995. 18 

[16] O. Grumberg and D. E. Long. Model checking and modular verification. In Proc. 
of CONCUR’91, vol. 527 of LNCS. Springer- Verlag, 1991. 19, 27 

[17] K. Heljanko. Bounded reachability checking with process semantics. In Proc. of 
CONCUR’Ol, vol. 2154 of LNCS. Springer- Verlag, 2001. 19 

[18] K. Heljanko and I. Niemela. Bounded LTL model checking with stable models. 
In Proc. of LPNMR’2001, vol. 2173 of LNCS. Springer- Verlag, 2001. 18, 19 

[19] K. L. McMillan. Symbolic Model Checking: An Approach to the State Explosion 
Problem. Kluwer Academic Publishers, 1993. 18 

[20] P. Niebert, M. Mahfoudh, E. Asarin, M. Bozga, O. Maler, and N. Jain. Verification 
of Timed Automata via Satisfiability Checking. In Proc. of FTRTFT’02, vol. 2469 
of LNCS. Springer- Verlag, 2002. 18, 19 

[21] D. Peled. Partial order reduction: Linear and branching temporal logics and 
process algebras. In Proc. of POMIV’96, vol. 29 of ACM/AMS DIMACS Series. 
Amer. Math. Soc., 1996. 18 

[22] W. Penczek, M. Szreter, R. Gerth, and R. Kuiper. Improving partial order reduc- 
tions for universal branching time properties. Fundamenta Informaticae, 43:245- 
267, 2000. 18, 19 

[23] W. Penczek, B. Wozna, and A. Zbrzezny. Bounded model checking for the uni- 
versal fragment of GTL. Fundamenta Informaticae, 51(1-2):135-156, June 2002. 
18, 19, 23, 31 



Checking ACTL* Properties of Discrete Timed Automata 



33 



[24] W. Penczek, B. Wozna, and A. Zbrzezny. SAT-Based Bounded Model Checking 
for the Universal Fragment of TCTL. Technical Report 947, ICS PAS, 2002. 18, 
19 

[25] W. Penczek, B. Wozna, and A. Zbrzezny. Towards bounded model checking for 
the universal fragment of TCTL. In Proc. of FTRTFT’02, vol. 2469 of LNCS. 
Springer- Verlag, 2002. 18, 19, 23 

[26] Maria Sorea. Bounded model checking for timed automata. In Proc. of MTCS’02, 
vol. 68(5) of ENTCS. Elsevier Science Publishers, 2002. 18, 19 

[27] S. Tripakis and S. Yovine. Analysis of timed systems using time-abstracting 
bisimulations. Formal Methods in System Design, 18(l):25-68, 2001. 28 

[28] P. Wolper and P. Godefroid. Partial-order methods for temporal verification. In 
Proc. of CONCUR’93, vol. 715 of LNCS. Springer- Verlag, 1993. 18 

[29] B. Wozna, W. Penczek, and A. Zbrzezny. Reachability for timed systems based 
on SAT-solvers. In Proc. of CS&P’02, vol. II of Informatik-Berichte Nr 161. 
Humboldt University, 2002. 18, 19 

[30] B. Wozna and A. Zbrzezny. Reaching the limits for Bounded Model Checking. 
Technical Report 958, ICS PAS, 2003. 20, 22, 24, 28 



Removing Irrelevant Atomic Formulas 
for Checking Timed Automata Efficiently* 



Jianhua Zhao, Xuandong Li, Tao Zheng, and Guoliang Zheng 



State Key Laboratory of Novel Software Technology 
Dept, of Computer Sci. and Tech. Nanjing University 
Nanjing, Jiangsu, P.R.China 210093 
zhao j hOn j u . edu . cn 



Abstract. Reachability analysis for timed automata can be done by 
enumeration of time zones, which are conjunctions of atomic formulas 
of the form x — y < (<)n. This paper shows that some of the atomic 
formulas in a generated time zone can be removed while the reachability 
analysis algorithm generates the same set of reachable locations. We call 
such formulas irrelevant ones. By removing the irrelevant formulas, the 
number of symbolic states associated with each location is reduced. We 
present two methods to detect irrelevant formulas. Case studies show 
that, for some kind of timed automata, these methods may significantly 
reduce the space requirement for reachability analysis. 



1 Introduction 

Model checking is a formal technique for validating whether a system model 
holds for a specific property. The basic method of model checking is exhaustive 
state space exploration. However, the state space increases explosively when the 
size of the model increases. This problem is known as ‘state-space explosion’. As 
to the model-checking for real-time system, the state space explosion problem is 
even more severe because of the clock variables introduced in the system. 

In the literature, most model checking tools for timed automata explore the 
state space by enumeration of symbolic states [1][2][3]. Generally, the reacha- 
bility analysis is performed as follows. Starting from the initial symbolic state, 
the algorithm keeps on generating the successors of the states already gener- 
ated. The algorithm terminates when either it can not generate more unex- 
plored successors, or it reaches the destination symbolic state. Many techniques 
have been proposed to attack the ‘state-space explosion’ problem when perform- 
ing reachability analysis on timed automata or parallel composition of timed 
automata. These techniques include compact data structure [5], partial order 
techniques [6] [7], inactive clock reduction [8], and so on. 

* This paper is supported by the National Natural Science Foundation of China 
(No.60203009, No.60233020, and No.60073031), the National 863 High-Tech Pro- 
gramme of China (No.2001AA113203), and by National Grand Fundamental Re- 
search 973 Program of China (No.2002CB312001). 
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Each symbolic state generated by the algorithm is a tuple of a location 
and a time zone. A time zone is a conjunction of atomic formulas of the form 
X — y < {<)n, where x, y are clocks or the constant 0 , n is an integer. In this 
paper, we will try to attack the ‘state-space explosion’ problem caused by the 
clock variables by reducing the number of generated symbolic states associated 
with each location. We found that some atomic formulas of the time zones are 
irrelevant to the evolution of timed automata. The reachability algorithm can 
remove these formulas while generating same set of reachability locations. There 
are two benefits of removing irrelevant formulas. (I) The zones which have same 
set of relevant formulas will be reduced into one. (II) After removing irrelevant 
formulas, a time zone may contain other ones that were originally not contained. 
Thus the number of states associated with each location generated by the anal- 
ysis algorithm is reduced. 

The ‘inactive clock reduction’ technique can remove the irrelevant atomic 
formulas associated with inactive clocks. A clock is inactive at a location if the 
clock is not tested before it is reset for each path leaving this location. For 
the symbolic states at this location, the atomic formulas about this clock are 
irrelevant formulas and can be removed. 

In this paper, we present two methods to detect and remove more irrelevant 
formulas which are not associated with inactive clocks. The case studies show 
that these methods reduce the space consumption significantly in some cases. 

This paper is organized as follows. The second section briefly describes the 
timed automata and the reachability-analysis problems. The third section de- 
scribes the basic idea and two methods to detect irrelevant formulas. Two basic 
theorems are also presented in this section. The section 4 presents the improved 
reachability analysis algorithm. Case studies are presented in the section 5 . The 
last section concludes this paper. 

2 Background 

This section informally describes the timed automata and reachability analysis. 

2.1 Timed Automata 

We use B{C) ranged over by D, £>i, I?2, ... to stand for the set of conjunctions 
of atomic formulas of the form x — y n for x^y € C U { 0 }, {<, <} and n 

being an integer. Elements of B{C) are called time zones over C. 

We use Q{C) ranged over by 5, 51, ^2, ■ • to stand for the set of conjunctions 
of atomic formulas of the form x ~ n for x G C, {<,<,>,>} and n being 
an integer. Elements of Q{C) are called time guards over C. For any clock set C, 
we have Q{C) C B{C). 

We define a connection operator • over atomic formulas as follows. Given 
two atomic formulas x — y ~i ni and y — z ~2 n2, (x — ?/ ~i ni) • {y — z ^2 

^2) = {x — z ^3 rii + n 2 ), where ~i, ~2G {<, <}, ~3 is either < if ~i and ~2 
are both <, or < otherwise. 
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A zone is canonical if the following condition holds. For any three clocks x, y 
and z (x, y, z may be the constant 0.), x — y ni, and y — z ~2 n 2 are atomic 
formulas in D, then there is an atomic formula x — z ~3 ri 3 in D satisfying that 
(x - z ~3 ns) ^ {x - y ni) • {y - z ~2 « 2 )- Here, ~i, ~ 2 , ~3G {<, <} 

A timed automaton A is a tuple ^ N,l^,C,E,I where A^ is a finite 
set of locations, G N is the start location; C is a finite set of clocks; E C 
N X G{C) X 2*^ X iV is a set of transitions; I assigns each location an invariant in 
G{C). All the atomic formulas in a location invariant are of the form x < (<)n. 

A timed automaton can be viewed as a conventional finite state automaton 
adding some clocks and time constraints. The real-number values of all the clocks 
increase as the time passes on. A transition of the automaton can take place if its 
time guard is satisfied. When a transition takes place, it can reset the values of 
some clocks to 0. The automaton may stay at a location as long as the location 
invariant is satisfied. 

A symbolic state of the timed automaton A is a tuple (l,D), where / is 
a location, and D is in B{C). The symbolic state space of a time automaton can 
be divided into finite number of equivalence classes. 

2.2 Reachability Analysis 

The operations over the time zones can be performed efficiently [4]. So most of 
the model checking algorithms in the literature use enumeration of time zones 
to explore the state space. 

The timed automata evolve by either time delay, or moving to another loca- 
tion through a transition. The symbolic successor operator sp is as follows. 

— For time delay, sp{6){l,D) {l,D^ A I{1)) 

— For a transition e =(/, g, r, /') , sp{e){l, D) {I' ,r{g A D) /\ I{1')) 

d-G-f 

We also define an operator sps as sps{e){l, D) = sp{e){sp{S){l, D)). We say 
sps{e){l, D) is the direct successor of {I, D) w.r.t. the transition e. The time zone 
of the direct successor can be calculated as r{D^ A I{1) A g) A I {I')- Let x be 
a clock valuation over the clock set C satisfying A I{1) A g. Let x! be the 
new valuation derived by setting the values of clocks in r to 0. The valuation x' 
satisfies r(T>l A I{1) A g) A I{V) if and only if all the values of clocks in C — x 
satisfies the formulas about them in So the time zone can also be calculated 
as r{D^ A I (I) A g A I') , where I' is the time guard derived by removing all atomic 
formulas about clocks in r from 

The basic reachability analysis algorithm depicted in Fig 1 checks whether 
the location /' is reachable from (/q, Dq). This algorithm, or its variants, is widely 
used in different model checking tools[l][2][.3]. 

2.3 Representing Time Zones by Weighted Directed Graphs 

A timed zone is a conjunction of atomic formulas of the form x — y ~ n for 
X, y S C U {0}, {<, <} and n being an integer. For convenience of reasoning 

in this paper, we can also represent a time zone by a weighted directed graph. 
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PASSED := {} 

WAITING := {{lo,Do)} 
repeat begin 

get a state (Z, D) from WAITING and remove it from WAITING 
if D g D' for all (Z, D') G PASSED then 
begin 

add (Z,D) to PASSED. 

Succ ;= {sps{e){l,D) | e is a transition leaving 1} 
if there is a non empty zone (Zi, D') €Succ 
such that I' = h 
return YES 

WAITING := WAITING U {z\z is non-empty A 2 G Succ} 

end 

end 

until WAITING = {} 
return NO. 



Fig. 1. The basic reachability analysis algorithm 



Given a time zone D over a set of clocks C, the corresponding graph Gd is 
defined as follows. Each node of the graph represents a clock or the constant 0. 
There are two kind of edges: equational and non-equational edges. For each 
atomic formula x — y < n (or x — y < n), there is an equational (or non- 
equational) edge from node x to node y weighted n. A path p is a sequence of 
consecutive edges. The path p is an equational one if all the edges are equational 
ones. It’s non-equational if p is not equational. 

The operators over time zones can be performed through weighted directed 
graph. Let D, D\ and D 2 be three time zones. 

1. U is empty if and only if there is a cycle path in Go such that either the 
length of that cycle is negative, or the cycle is non-equational and 0-length. 

2. Each edge from x to y in GdiAD 2 is the shorter one of the edges (if exist) 
from X to y in G Di and G D 2 ■ 

3. The graph Gd' of the equivalent canonical zone of D can be derived as 
follows. For any two nodes x and y, there is an edge from x to y in Gd' if 
there are paths from x to y in Go- The edge and the shortest path are of 
the same length. The edge is equational if and only if the shortest path is 
equational. 

3 Detecting Irrelevant Atomic Formnlas 

This section presents the basic idea of irrelevant formulas. The methods to detect 
irrelevant atomic formulas are also presented. 
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a: < 4, y < 3 




a: > 4, reset ; 



Fig. 2. An example for irrelevant formulas 



3.1 Basic Idea about Irrelevant Formulas 

A time zone is a conjunction of atomic formulas of the form x — y'^c. Generally 
speaking, given a symbolic state (l,D), removing an atomic formula d from D 
may result in a bigger state {D C D'). However, we found that under 

certain conditions, all the reachable locations from {l,D') are still reachable 
location of the timed automaton. Thus, if {I, D) is a symbolic state generated 
by reachability analysis algorithm, it can be replaced by {l,D') during state 
generation without generating un-reachable locations. We call d an irrelevant 
atomic formula of (1, D). Here we use a timed automaton fragment in Fig 2 as an 
example to show that removing irrelevant atomic formulas can result in memory 
requirement reduction. Let {I, —x <4Ax — j/<3) and (/, —x <4Ax — ?/>3) 
be two symbolic states of the automaton. The only direct successor of these two 
states is {h^—x < 4Aj/ — x < 4Ay = 0). We can find that the constraints 
X — 2 / < 3 and x — y > 3 are irrelevant atomic formulas. These two states are 
reduced to one state {I, —x < 4) if the irrelevant formulas are removed. 

Definition 1. Let (I, D) he a reaehahle symbolic state of a timed automaton A. 
Let d he an atomic formula in D. Let D' he the zone derived by removing d 
from D. The atomic formula d is an irrelevant formula of D if each location 
reachable from (/, Z?') is also a reachable location of the automaton. 

From the above definition, the model-checker can remove irrelevant atomic 
formulas from the generated states during the state-space exploration. We will 
present two methods to detect irrelevant formulas in subsections 3.3 and 3.4. 

3.2 Two Basic Theorems about Zone Intersection Operator 

We will first present two theorems about zone intersection. These theorems will 
be used to reason about the methods. 

Theorem 1. Let D\ be a non-empty canonical zone. Let g he a time guard in 
G{C). If g/\Di = 0, there must he an atomic formula d in D\ such that gAd = 0. 
Furthermore, one of the following conclusions holds. (I) d is of the form x ~ n 
in D, there is a formula x n' in g such that d A (x 7 ^ n') is false. (II) d is of 
the form x — y < (<)n, (x, y yf 0), there are two formulas 0 — x < (<)ni and 
y — 0 < (<)n .2 in g such that d A (0 — x < (<)ni) A (y — 0 < (<)n 2 ) is false. 
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Proof. Because g A Di is 0, there must be a cycle path p in Gg/\Di of which the 
length is negative. (We also call a non-equational 0-length path a negative one.) 
Because D\ is not empty, each cycle in Gdi is not negative. So p contains at 
lease one edge from Gg. 

Notice that each edge in Gg either leaves or arrives at the node 0, the cycle 
path p must pass through 0 at lease once. If p passes 0 more than once, we can 
get a negative sub-cycle p' of p such that p' passes 0 only once. There is one or 
two edges in p' from Gg because each edge in Gg either leaves or arrives at 0. 
The other edges in p' are from Gdi and consecutive. Because Di is canonical, 
the other edges can be replaced by one edge from Gdi- This edge, together with 
the edges from Gg, can form a negative-length cycle. Let d be the atomic formula 
corresponding to the edge in Gdx, we have d A g = 0. 

The last cycle is composed of one edge from Go and 1 or 2 edges from Gg. 
If only one edge in the cycle is from Gg, the conclusion (I) holds. If two edges 
are from Gg, the conclusion (II) holds. □ 

Theorem 2. Let D\ he a canonical zone. Let g he a time guard and D\Ag yf 0. 
Let D '2 he the canonical zone equivalent to g A D\ . For each atomic formula d in 
D' 2 , it is in one of the following categories. 

1. Category IThe original atomic formula set of D\. 

2. Category 2 The original atomic formula set of g. 

3. Category 3 The atomic formula d is of the form x ~ c and there are atomic 
formulas d\ G D\ and d 2 & g such that d = d\ • d 2 or d = d 2 • d\. 

4-. Category AThe atomic formula d is of the form x — y c (x,y ^ Q) and 
there are atomic formulas d\ and d 2 respectively of the form x < (<)ci and 
0 — 2 / < (<)c 2 in one of the above three categories satisfying that d = di • d 2 - 

Proof. Because Gg/.,Di is not empty, each cycle in the graph is non-negative. If 
there are circles in a path p, we can remove them from p to get a shorter path. 
So if there is a path from x to y (x yf y), there is an acyclic shortest one from x 
to y. 

If an edge in Gd'^ is also in Gg/.,Di, the corresponding formula is in Di or g. 
So the formula is in the category 1 or 2. 

Let d be an arbitrary atomic formula of the form x— 0 < (<)nor0 — x < (<)n 
in D' 2 . If d is not in category 1 or 2, the shortest path in Gg/\Di between x and 0 
must include an edge from Gg. Because each edge in Gg is either leaving 0 or 
arriving at 0, and the path is acyclic, so there is only one edge from Gg at one 
of the two ends of the path. All the rest edges are from Gdi and consecutive. 
Because Di is canonical, we can find an edge in Gdi equivalent to the rest edges. 
So two edges, one from Gdi and another from Gg, also form a shortest path. 
That is, the atomic formula is equal to d\ • d 2 or d 2 • di for d\ is in D\, and d 2 
is in g. So these formulas are in category 3. 

For an arbitrary atomic formula x — y < {<)n {x,y yf 0) in D' 2 , there must 
be an equivalent acyclic shortest path p in GgADi- So the path passes through 
the node 0 because p contains at least one edge from Gg. We can divide p into 
two parts: from x to 0 and from 0 to y. These two parts are also shortest ones 
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because p is shortest. These two parts are respectively corresponding to two 
atomic formulas of the form x — 0 < {<)n or 0 — x < (<)n in the category 1,2, 
or 3. So X — y < (<)n is in category 4. □ 

3.3 Static Method for Irrelevant Atomic Formula Detection 

The static method uses the information about clock resetting and testing to 
detect irrelevant atomic formulas. Before state-space exploration, we need to 
collect this information. 

Definition 2 . Greater-test-free clock Let I be a loeation. Let ei,e2,...,e„ 
be all the transitions leaving 1. A cloek x is ealled greater-test- free on I if the 
following conditions hold, (i) The time guard of each Ci and the loeation invariant 
of I contains no atomic formula of the form x > (>)n. (ii) For each i, either 6i 
resets x or x is also greater-test- free on the target location of Ci. 

Intuitively, a clock is greater-test-free on I means that for each transition path 
leaving I, x will not be test by constraint x > (>)n before it is reset. This 
information can be calculated before the state-space exploration. For a parallel 
composition of timed automata, a clock is tested and reset only by one local 
automaton. So calculating this information can be done with low cost. 

Lemma 1 . Let g be a time guard containing no atomic formula of the form xq > 
(>)n. Let D\ and D2 be two canonical time zones containing the same set of 
formulas which are not of the form XQ — y< (<)n and {DiAg %) A{D2Ag 0). 

Let D[ and D'2 be canonical zones respectively equivalent to D\ A g and D2 A g. 
The zones D'^ and contain the same set of atomic formulas which are not of 
the form Xq — y < (<)n (y G C U {0 } ). 

Proof. Let d be an atomic formula in D'l which are not of the form XQ — y < (<)n. 
From theorem 2, d must be in one of the following categories. 

If d is in category I or 2, d is also in D2 or g. So we have D'2 d. 

If d is in category 3 and of the form 0—y < (<)n, d is equal to d\*d2, where d\ 
in g and ^2 in D\. Because there is no formula of the form 0 — xq < (<)n in g, 
d2 is not of the form xq — y < {<)n. So ^2 is also in D2. We have D'2 d. 

If d is in category 3 and of the form y — 0 < (<)n (y yf xq, 0), d can be equal 
to d\ • ^2 for some d\ in D\ and ^2 in g. Because di is not of the form Xq — z < 
(<), di is also in D2. So we have D'2 d. 

If d is in category 4, d is equal to di • ^2 for some di, d 2 of the form x < 
(<)n and 0 — y < (<)n in the first three categories. Because d is not of the 
form xo — y < (<)n, di is not of the form xq — y < (<)n either. We have 
D'2 di because di is in the first three categories. Also because d 2 is in the first 
three categories and of the form 0 — y < (<)n, we have D'2 => d 2 . So D'2 ^ d. 

Thus we have that for each formula x — y< (<)n in D'^^, D'2 => x — y < (<)n 
if X yf Xq. Similarly, we can prove that for each formula x — y<(<)n in D' 2 , 
D'l ^ X — y < (<)n if X yf Xq. So we conclude that, D'l and D'2 have the same 
set of formulas which are not of the form xq — y<(<)n. □ 
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Theorem 3. Let {l,D) be a symbolic state where D is a canonical zone. Let xq 
be a clock. All the atomic formulas of the form XQ — y< (<)c (y £ CU {0} ) in D 
are irrelevant if xq is greater-test- free on 1. 

Proof. In this proof, let I be a location, let xq be a greater-test-free clock on /, 
let D\ and D 2 be two canonical zones containing same set of atomic formulas 
of the form x — y < (<)n, where x ^ xq. Let 5 be a time guard containing no 
formula of the form 0 — xq < 

Let r be a set of clocks. We have that r{Di) and r{D 2 ) are same if xq £ r. 

If g f\D I is empty, from Theorem 1, there is an atomic formula di in D\ such 
that g A di = 0. Formula di can not be of the form xq — y < (<)n because g 
contains no atomic formula of the form 0 — xq < {<)n. So di is also in D 2 . We 
have that D 2 A g is also empty. 

If g A D\ is not empty, from the lemma 1, the canonical form of 5 A D\ and 
g A D 2 has same set of formulas of the form x — y < (<)n, where x ^ xe\. 

As discussed in subsection 2.2, the time zones of sps{e){l, Di), sps{e){l, D 2 ) 
are r{ol A I{1) A ge A /') and r{D\ A I{1) A ge A L') respectively. Notice that, the 
clock X{) is greater-test-free on I, so ge, 1(1) and L' contains no atomic formula 
of the form 0 — xq < (<)''^- Based on the above conclusions and the definition 
of greater-test-free clocks, we conclude that for each transition path p leaving /, 
the successors of (/, Di) and (I, D 2 ) w.r.t. p are either both empty, or same, or 
their time zones have same set of formulas of the form x — y < (<)n for x ^ xq. 

Let D' be the time zone derived by removing all the formulas of the form xq — 
y ^ (<)^ from another canonical zone D. Then D and the canonical zone of D' 
have the same set of formulas of the form x — y < (<) for x ^ xq- So we proved 
this theorem. □ 

Similarly, we can define less-test-free clocks and get another method to detect 
irrelevant formulas. 

3.4 Dynamic Method for Irrelevant Atomic Formula Detection 

Let (l,D) be a symbolic state generated by the model-checking algorithm. 
Let ei,e 2 ,...,e„ be transitions leaving 1. Let (li,Di) be the symbolic states 
generated by the algorithm satisfying that either (1) sps(ei){l,D) C (li,Di) if 
sps(ei){l, D) ^ 0, or (2) = 0 if sps(ei){l, D) is empty. Let d be an atomic for- 

mula in D. Let D' be the time zone derived by removing d from D. The atomic 
formula d is called removable w.r.t. Ci if sp(ei)(l,D') C (l(,Di). The formula d 
is irrelevant if it is removable w.r.t. all the leaving transitions. 

As described in subsection 2.2, the successor of (l,D) w.r.t. is (l',r{D^ A 
1(1) Agi A /')). Let g( be the time guard equivalent to L(l) A gi A 

The successor is empty if and only if A g( is empty. From Theorem 1, 
there must be an atomic formula din D'' such that d A g[ = %. The formula d is 
also in D. All the other atomic formulas are removable w.r.t. e^. 

Now we will present a way to find removable atomic formulas if the successor 
w.r.t. Ci is not empty. The time zone of sps(ei){l, D) is (V , r(D'' A g'f}). So r(D'' A 

g() c A. 



42 Jianhua Zhao et al. 

1. Let £>' = r~^{Di), where r is the set of clocks reset by the transition e^. The 
definition of the operator can be seen in [4]. D[ is the largest time zone 
satisfying that r(£>') = Di. We have A g- C Z)'. 

2. Calculating the canonical zone D\ of 1)1 A 5'. According to Theorem 2, each 
formula in D\ is in one of the four categories. There are 0, 1 or 2 formulas 
in 1)1 associated with each formula in D\. If we calculate Di based on 
Theorem 2, for each formula in Di, we can record which formulas in D are 
associated with it. 

3. For each formula d in D', find the formula d' in D\ such that d' d, 
then mark the formulas in 1)1 associated with d'. Because Di is canonical 
and Di C D', for each formula d in D', we can find a formula d' in Di such 
that d' d. 

4. All unmarked constraints in D are removable w.r.t. e^. 

Thus, we present an algorithm to detect the irrelevant formulas of a symbolic 
state when all of the direct successors are calculated. 

4 Improved Algorithm 

Based on the methods for irrelevant atomic formula detection as we presented in 
the previous sections, we get an improved algorithm depicted in Firgure 3. The 
algorithm explores the state space in a breadth-first way. The difference between 
this algorithm and the basic one is as follows. 

1. Each time a symbolic state is generated, the algorithm removes the irrelevant 
atomic formulas detected by the static method. 

2. Once the algorithm generates all the direct successors of a symbolic state 

it removes the irrelevant atomic formulas in D detected by the dy- 
namic method. 

This algorithm can be used to check whether a location is reachable. The result 
of this algorithm is exact because removing irrelevant formulas will not introduce 
new ’reachable’ location. 

This algorithm can be extended to check whether a symbolic state {l,D) is 
reachable in case D is in G{C). We can add a new location Idest and a virtual 
transition from I to Idest with D as its time guard . Thus, the reachability problem 
of (/, D) is now transformed into the reachbility problem of Idest- For a parallel 
composition of timed automata, the virtual transition can be simulated by a set 
of synchronized local transitions. 

In this algorithm, we only use the dynamic method to detect irrelevant for- 
mulas of a symbolic state when all of its successors are generated. We can also use 
this method recursively. When the algorithm detects and removes some irrelevant 
formulas from a symbolic state, it can recursively detect the irrelevant formulas 
of the predecessor of this state. To do this, we must record the predecessors 
of each symbolic state. Recursive detection is feasible only if the benefit of re- 
moving more irrelevant formulas surpass the cost of maintaining the predecessor- 
successor relations. We haven’t implemented recursive detection. Later, recursive 
detection can be an option of our tool. 
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Calculate which clocks are greater-test-free or less-test-free on each location. 

PASSED := {} 

WAITING := {{lo,Do)} 
repeat begin 

get a state (Z, D) from WAITING and remove it from WAITING; 
if D g D' for all {l,D') G PASSED then 
begin 

add (Z,D) to PASSED; 

for each a in the set {ei\ I is the source loaction of d} do 
begin 

Let Si = sps{ei){l, D)\ 

if Si is non-empty and the location of Si is I' 
return YES; 

if there exists a state S' in PASSED satisfying that Si C S' 

Let Si ■- S'; 
else begin 

Remove irrelevant formulas detected by static method from Si\ 
Add Si into WAITING; 
end 

end 

Detect and remove the irrelevant formulas of (Z,Z?) by dynamic method; 

end 

end 

until WAITING = {} 
return NO. 



Fig. 3. The improved algorithm 



The dynamic method (non-recursive) used in this algorithm need no extra 
memory. For the static method, we need some extra memory to record the infor- 
mation about greater-test-free and less-test-free clocks. The extra memory cost 
is small comparing to the memory needed for generated states. 

5 Case Studies 

We have incorporated the techniques presented in this paper into our experi- 
mental tool. We applied this tool to several examples using an Intel P4(lGHz) 
computer with 256M memory and 512M virtual memory. The tables in Figure 4 
are the performance data of our tool when we use the tool to check Fischer’s 
protocol, CSMA protocol, and FDDI protocol. The columns ‘Basic’, ‘Inactive’ 
and ‘Irrelevant’ are respectively performance data for the basic algorithm, the 
algorithm with ‘inactive clock reduction’ optimization and the algorithm with 
‘Irrelevant constraints removing’. The space requirement is expressed by the 
numbers of the generated symbolic states. We only check FDDI with 2,3, and 
4 workstations because our experimental tool can only handle at most 16 clock 
variables. Because the number generated states are significantly reduced, the 
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Systems 


Basic 


Inactive 


Irrelevant 


System 


Basic 


Inactive 


Irrelevant 


Fischer 2 


27 


21 


18 


CSMA 3 


126 


69 


54 


Fischer 3 


157 


103 


65 


CSMA 4 


913 


387 


199 


Fischer 4 


965 


567 


220 


CSMA 5 


6303 


2226 


644 


Fischer 5 


6591 


3631 


727 


CSMA 6 


43911 


14931 


2057 


Fischer 6 


50431 


26799 


2378 


CSMA 7 


N/A 


N/A 


6026 


Fischer 7 


N/A 


N/A 


7737 


CSMA 8 


N/A 


N/A 


16907 


Fischer 8 


N/A 


N/A 


25080 


CSMA 9 


N/A 


N/A 


45836 


Fischer 9 


N/A 


N/A 


81035 


CSMA 10 


N/A 


N/A 


120845 


Fischer 10 


N/A 


N/A 


260998 


CSMA 11 


N/A 


N/A 


311310 


FDDI 2 


57 


27 


15 


FDDI 3 


160 


56 


21 


FDDI 4 


345 


95 


27 











Fig. 4. Performance data checking Fisher’s, CSMA/CD, and FDDI protocol 



used CPU time is not long. The checks for these systems are performed with 
seconds or minutes. 

The performance data shows that our technique can significantly reduce the 
space requirement in these cases. There are some cases, like Bang&Olufson Col- 
lision Detection Protocol[9], in which our technique results in no optimization. 

Our technique works very well if there are several greater-test-free or less-test- 
free clocks in the system. Our experimental tool even over-performs UPPALL 
when checking Fischer’s protocol and CSMA/CD protocol. Notice that our tech- 
nique is an ‘exact’ one, so we can compare our performance data with those of 
UPPAAL without the option -A. As reported in the homepage of UPPAAL, the 
tool UPPAAL can check Fischer’s protocol of 7 processes and CSMA protocol 
of 7 senders. 



6 Conclusions 

In this paper, we present a technique to reduce the space requirement of reacha- 
bility analysis on timed automata. We found that some of the constraints in the 
generated symbolic state are irrelevant to the evolution of the timed automaton. 
Removing these constraints can reduce the number of symbolic states generated 
by the analysis algorithm. 

Two methods are presented to detect irrelevant formulas during state-space 
exploration. The first one is called static detection method. This method finds 
irrelevant formulas based on the information about clock resetting and testing. 
This information can be calculated statically for each timed automaton before 
state-space exploration. This method is a generalization of ‘inactive clock reduc- 
tion’ technique. It can detect all the irrelevant formulas associated with inactive 
clocks. It is more powerful because it can also detect irrelevant formulas asso- 
ciated with active but greater-test-free or less-test-free clocks. The performance 
data also shows that our technique results in better optimization. 
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A dynamic detection method is also proposed in this paper. If all the direct 
successors of a state are generated, this method detects irrelevant atomic formu- 
las of the state according to its successors. This method can find some irrelevant 
formulas which can not be found by the static method. In the example depicted 
in Fig 2, the irrelevant formula x — y<S can not be found by the static method, 
but can be found by the dynamic one. 

Our technique operates on the time zones individually. So we believe that 
this technique can be easily combined with other optimization techniques. 

The optimized algorithm in this paper can check whether a location is reach- 
able. The reachability of a symbolic state can be transformed into location reach- 
ability problem by adding virtual transitions. 
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Abstract. We describe a prototype extension of the real-time model 
checking tool Uppaal with symmetry reduction. The symmetric data 
type scalarset, which is also used in the MuR(p model checker, was added 
to Uppaal’s system description language to support the easy static de- 
tection of symmetries. Our prototype tool uses state swaps, described 
and proven sound earlier by Hendriks, to reduce the space and memory 
consumption of Uppaal. Moreover, the reduction strategy is canonical, 
which means that the symmetries are optimally used. For all examples 
that we experimented with (both academic toy examples and industrial 
cases), we obtained a drastic reduction of both computation time and 
memory usage, exponential in the size of the scalar sets used. 



1 Introduction 

Model checking is a semi-automated technique for the validation and verification 
of all kinds of systems [8] . The approach requires the construction of a model of 
the system and the definition of a specification for the system. A model check- 
ing tool then computes whether the model satisfies its specification. Nowadays, 
model checkers are available for many application areas, e.g., hardware systems 
[10, 22], finite-state distributed systems [17], and timed and hybrid systems 
[21, 27, 25, 16]. 

* Supported by the European Community Project IST-2001-35304 (AMETIST), 
http: //ametist . cs .utwente .nl. 

** Peter Niebert suggested the method for efficient computation of canonical represen- 
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Despite the fact that model checkers are relatively easy to use compared to 
manual verification techniques or theorem provers, they are not being applied on 
a large scale. An important reason for this is that they must cope with the state 
space explosion problem, which is the problem of the exponential growth of the 
state space as models become larger. This growth often renders the mechanical 
verification of realistic systems practically impossible: there just is not enough 
time or memory available. As a consequence, much research has been directed 
at finding techniques to fight the state space explosion. One such a technique is 
the exploitation of behavioral symmetries [18, 23, 20, 19, 12, 7]. The exploitation 
of full symmetries can be particularly profitable, since its gain can approach a 
factorial magnitude. 

There are many timed systems which clearly exhibit full symmetry, e.g., Fis- 
cher’s mutual exclusion protocol [1], the CSMA/CD protocol [24, 27], industrial 
audio/video protocols [13], and distributed algorithms, for instance [4]. 

Motivated by these examples, the work presented in [14] describes how Up- 
paal, a model checker for networks of timed automata [21, 3, 2] , can be enhanced 
with symmetry reduction. The present paper puts this work to practice: a proto- 
type of Uppaal with symmetry reduction has been implemented. The symmetric 
data type scalarset, which was introduced in the MuR:^ model checker [10], was 
added to Uppaal ’s system description language to support the easy static detec- 
tion of symmetries. Furthermore, the state swaps described and proven sound 
in [14] are optimally used to reduce the space and time consumption of the 
model checking algorithm. Run-time data is reported for the examples men- 
tioned above, showing that symmetry reduction in a timed setting can be very 
effective. 

Related work. Symmetry reduction is a well-known technique to reduce the 
resource requirements for model checking algorithms, and it has been successfully 
implemented in model checkers such as MuR:^ [10, 19], SMV [22], and Spin 
[17, 6]. As far as we know, the only model checker for timed systems that exploits 
symmetry is Red [25, 26]. The symmetry reduction technique used in Red, 
however, gives an over approximation of the reachable state space (this is called 
the anomaly of image false reachability by the authors). Therefore, Red can only 
be used to ensure that a state is not reachable when it is run with symmetry 
reduction, whereas symmetry enhanced Uppaal can be used to ensure that a 
state is reachable, or that it is not reachable. 

Contribution. We have added symmetry reduction as used within MuR:^, 
a well-established technique to combat the state space explosion problem, to 
the real-time model checking tool Uppaal. For researchers familiar with model 
checking it will come as no surprise that this combination can be made and 
indeed leads to a significant gain in performance. Still, the effort required to 
actually add symmetry reduction to Uppaal turned out to be substantial. 

The soundness of the symmetry reduction technique that we developed for 
Uppaal does not follow trivially from the work of Ip and Dill [19] since the de- 
scription languages of Uppaal and MuR(/j, from which symmetries are extracted 
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( 1 ) passed := 0 

( 2 ) waiting ;= Qo 

(3) while waiting 7 ^ 0 do 

(4) get q from waiting 

(5) if q\= 4> then return YES 

(6) else if ^ passed then 

(7) add q to passed 

( 8 ) waiting ;= waiting U {q' G Q \ {q,q') G A} 

(9) fi 

(10) od 

(11) return NO 

Fig. 1. A general forward reachability analysis algorithm 



automatically, are quite different. In fact, the proof that symmetry reduction for 
Uppaal is sound takes up more than 20 pages in [14]. 

The main theoretical contribution of our work is an efficient algorithm for the 
computation of a canonical representative. This is not trivial due to Uppaal’s 
symbolic representation of sets of clock valuations. 

Many timed systems exhibit symmetries that can be exploited by our meth- 
ods. For all examples that we experimented with, we obtained a drastic reduction 
of both computation time and memory usage, exponential in the size of the scalar 
sets used. 

Outline. Section 2 presents a very brief summary of model checking and 
symmetry reduction in general, while Sections 3 and 4 introduce symmetry re- 
duction for the Uppaal model checker in particular. In Section 5, we present 
run-time data of Uppaal’s performance with and without symmetry reduction, 
and Section 6 summarizes and draws conclusions. 

A full version of the present paper including proofs of lemma 1 and of theorem 
2 is available as [15]. 

2 Model Checking and Symmetry Reduction 

This section briefly summarizes the theory of symmetry presented in [19], which 
is reused in a timed setting since (i) it has proven to be quite successful, and (ii) 
it is designed for reachability analysis, which is the main purpose of the Uppaal 
model checker. We simplify (and in fact generalize) the presentation of [19] using 
the concept of bisimulations. 

In general, a transition system is a tuple {Q,Qq,A), where Q is a set of 
states, Qo C Q is a set of initial states, and A G Q x Q is a transition relation 
between states. Figure 1 depicts a general forward reachability algorithm which, 
under the assumption that Q is finite, computes whether there exists a reachable 
state q that satisfies some given property ij) (denoted hy q\= (j)). 

Due to the state space explosion problem, the number of states of a transition 
system frequently gets too big for the above algorithm to be practical. We would 
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like to exploit structural properties of transition systems (in particular symme- 
tries) to improve its performance. Here the well-known notion of bisimulation 
comes in naturally: 

Definition 1 (Bisimulation). A bisimulation on some transition system, say 
(Q, Qq, A), is a relation R C Q x Q such that, for all {q, q') € R, 

1. q G Qo if o-nd only if q' € Qq, 

2. if (q,r) G A then there exists an r' such that {q' ,r') G A and {r,r') G R, 

3. if {q' ,r') G A then there exists an r such that {q,r) G A and {r,r') G R. 

Suppose that, before starting the reachability analysis of a transition system, 
we know that a certain equivalence relation w is a bisimulation and respects the 
predicate 4> in the sense that either all states in an equivalence class satisfy 4> or 
none of them does. Then, when doing reachability analysis, it suffices to store 
and explore only a single element of each equivalence class. To implement the 
state space exploration, a representative function 9 may be used that converts a 
state to a representative of the equivalence class of that state: 

VqGQ (g « 0{q)) (1) 

Using 6, we may improve the algorithm in Figure 1 by replacing lines 2 and 8, 
respectively, by: 

(2) waiting := { 6{q) \ q G Qo} 

(8) waiting := waiting U { 9{q') \ {q,cf) & A} 

It can easily be shown that the adjusted algorithm remains correct: for all (finite) 
transition systems the outcomes of the original and the adjusted algorithm are 
equal. If the representative function is “good” , which means that many equiva- 
lent states are projected onto the same representative, then the number of states 
to explore, and consequently the size of the passed set, may decrease dramati- 
cally. However, in order to apply the approach, the following two problems need 
to be solved: 

— A suitable bisimulation equivalence that respects (p needs to be statically 
derived from the system description. 

— An appropriate representative function 9 needs to be constructed that sat- 
isfies formula (1). Ideally, 9 satisfies q ^ q' ^ 9{q) = 9{q'), in which case it 
is called canonical. 

In this paper, we use symmetries to solve these problems. As in [19], the 
notion of automorphism is used to characterize symmetry within a transition 
system. This is a bijection on the set of states that (viewed as a relation) is a 
bisimulation. Phrased alternatively: 

Definition 2 (Automorphism). An automorphism on a transition system 
{Q, Qn, A) is a bijection h : Q ^ Q such that 
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1. q G Qo if o,nd only if h(q) G Qo for all q G Q, and 

(9; q') ^ ^ if o,nd only if (h{q), h{q')) G A for all q, q' G Q. 

Let H he a. set of automorphisms, let id be the identity function on states, 
and let G{H) be the closure of iJU{id} under inverse aird composition. It can be 
showir that G{H) is a group, and it induces a bisimulation equivaleirce relatioir 
« on the set of states as follows: 

q~ f {K<i) = q') ( 2 ) 

We introduce a symmetric data type to let the user explicitly point out the 
symmetries in the model. Simple static checks can ensure that the symmetry that 
is pointed out is not broken. Our approach to the second problem of coming up 
with good representative functions consists of “sorting the state” w.r.t. some 
ordering relation on states using the automorphisms. For instance, given a state 
q and a set of automorphisms, find the smallest state q' that can be obtained 
by repeatedly applying automorphisms and their inverses to q. It is clear that 
such a 9 satisfies the correctiress formula (1), since it is constructed from the 
automorphisms only. 



3 Adding Scalarsets to Uppaal 

The tool Uppaal is a model checker for networks of timed automata extended 
with discrete variables (bounded integers, arrays) aird blocking, binary synchro- 
nization as well as iroir-blocking broadcast commuiricatioir (see for iirstance [21]). 
Iir the remainder of this sectioir we illustrate by an example Uppaal’s descrip- 
tion language extended with a scalarset type constructor allowiirg symmetric 
data types to be syntactically indicated. Our extensioir is based oir the notioir of 
scalarset first iirtroduced by Ip aird Dill in the finite-state model checking tool 
MuR(/7 [10, 19]. Also our extension is based on the C-like syntax to be introduced 
in the forthcoming version 4.0 of Uppaal. 

To illustrate our symmetry extension of Uppaal we consider Fischer’s mutual 
exclusion protocol. This protocol consists of n process identical up to their unique 
process identifiers. The purpose of the protocol is to insure mutual exclusion 
on the critical sections of the processes. This is accomplished by letting each 
process write its identifier (pid) in a global variable (id) before entering its 
critical section. If after some given lower time bound (say 2) id still contains the 
pid of the process, their it may enter its critical section. 

A scalarset of size n may be considered as the subrange {0,l,...,n— 1} 
of the natural numbers. Thus, the n process identifiers in the protocol can be 
modeled using a scalarset with size n. In addition to the global variable id, 
we use the array active to keep track of all active locations of the processes^. 
Global declarations are the following: 



^ This array is actually redundant and not present in the standard formulations of the 
protocol. However, it is useful for showing important aspects of our extension. 
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process Fischer (const proc_id pid) 



set==0 




Fig. 2. The template for Fischer’s protocol 



typedef scalarset [3] proc_id; // a scalarset type with size 3 

proc_id id; // declaration of a proc_id 

// variable 

bool set; // declaration of a boolean 

int active [proc_id] ; // declaration of an array 

// indexed by proc_id 

The first line defines proc_id to be a scalarset type of size 3, and the second line 
declares id to be a variable over this type. Thus scalarset is in our extension 
viewed as a type constructor. In the last line we show a declaration of an array 
indexed by elements of the scalarset proc_id. 

At this point the only thing missing is the declaration of the actual processes 
in the system. In the description language of Uppaal, processes are obtained as 
instances of parameterized process templates. In general, templates may contain 
several different parameters (e.g. bounded integers, clocks, and channels). In our 
extension we allow in addition the use of scalarsets as parameters. In the case 
of Fischer’s protocol the processes of the system are given as instances of the 
template depicted in Figure 2. The template has one local clock, x, and no local 
variables. Note that the header of the template defines a (constant) scalarset 
parameter pid of type proc_id. Access to the critical section cs is governed 
by suitable updates and tests of the global scalarset variable id together with 
upper and lower bound time constraints on when to proceed from requesting 
access (req) respectively proceed from waiting for access (wait). Note that all 
transitions update the array active to reflect the current active location of the 
process. The instantiation of this template and declaration of all three process 
in the system can be done as follows: 

FischerProcs = forall i in proc_id : Fischer(i); 
system FischerProcs; 
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The forall construct iterates over all elements of a declared scalarset type. In 
this case the iteration is over proc_id and a set of instances of the template 
Fischer is constructed and bound to FischerProcs. In the second line the final 
system is defined to be precisely this set. 

4 Using Scalarsets for Symmetry Reduction 

As a preliminary to this section we briefly mention the state representation of 
Uppaal. a state is a tuple {I, v, Z), where I is the location vector, v is the integer 
variable valuation, and Z is a zone, which is a convex set of clock valuations that 
can efficiently be represented by a difference bounded matrix (DBM) (5, 9]. 

4.1 Extraction of Automorphisms 

This subsection is a very brief summary of [14], to which we refer for further 
details. The new syntax described in the previous section enables us to derive 
the following information from a system description: 

— A set f2 of scalarset types. 

~ For each a G 17: (i) a set Va of variables of type a, and (ii) a set Da of pairs 
(a, n) where a is an array and n is a dimension of a that must be indexed 
by variables of type a to ensure soundness. We assume that arrays that are 
indexed by scalarsets do not contain elements of scalarsets. The reason is 
that this would make computation of a canonical representative as hard as 
testing for graph isomorphism. 

— A partial mapping 7 : P x 17 ^ N that gives for each process p and scalarset 
a the element of a with which p is instantiated. This mapping is defined by 
quantification over scalarsets in the process definition section. 

This information enables us to derive so-called state swaps. Let Q be the set 
of states of some Uppaal model, and let a be a scalarset type in the model with 
size n. A state swap swapfj : Q ^ Q can be defined for all 0 < * < j < n, and 
consists of two parts: 

— The multiple process swap swaps the contributions to the state of all pairs of 
processes p and p' if they originate from the same template and y(p, a) = i, 
'){p' ,a) = j and 'y{p,/3) = 'y{p',l3) for all /3 yf a € 17. Swapping such a pair 
of symmetric processes consists of interchanging the active locations and the 
values of the local variables and clocks (note that this is not a problem since 
the processes originate from the same template). 

— The data swap swaps array entries i and j of all dimensions that are indexed 
by scalarset a (these are given by the set Da). Moreover, it swaps the value 
i with the value j for all variables in Va. 

Consider the instance of Fischer’s mutual exclusion protocol (as described 
in the previous section) with three processes. There are three swap functions: 
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swapQ°^'^'‘, swapQ° 2 ^'^ and swap^i° 2 ^'‘. Now consider the following state of the model 
(the active location of the i-th process is given by U and the local clock of this 
process is given by Xi): 

I : ^0 = idle, l\ = wait, I 2 = cs 

V : id = 2, set = 1 

Z : xq = 4, xi = 3, X 2 = 2.5 

active ; active[0] = 0, active[l] = 2, active[2] = 3 

When we apply swapp 2 '"'* to this state, the result is the following state: 

I '■ Iq = cs, li = wait, I 2 = idle 

V : id = 0, set = 1 

Z ■ xq = 2.5, xi = 3, X2 = 4 

active ; active[0] = 3, active[l] = 2, active[2] = 0 

The process swap swaps Iq with I2, and Xq with X2- The data swap first changes 
the value of the variable id from 2 to 0, since id S V(,„c.id, and then swaps the 
values of active[0] and active [2]. Applying swap^i° 2 ^^ to this state gives the 
following state: 

I : ^0 = cs, li = idle, I 2 = wait 

V : id = 0, set = 1 

Z ■ Xq = 2.5, X\ = 4, X2 = 3 

active ; active[0] = 3, active[l] = 0, active[2] = 2 

Note that this swap does not change the value of id, since the scalarset elements 
1 and 2 are interchanged and id contains scalarset element 0. 

A number of syntactic checks have been identified that ensure that the sym- 
metry suggested by the scalarsets is not broken. These checks are very similar to 
those originally identified for the MuR<p verification system [19]. For instance, 
it is not allowed to use variables of a scalarset type for arithmetical operations 
such as addition. The next soundness theorem has been proven in [14]: 

Theorem 1 (Soundness). Every state swap is an automorphism. 

As a result, the representative function 0 can be implemented by minimiza- 
tion of the state using the state swaps. Note that every state swap resembles a 
transposition of the state. Hence, the equivalence classes induced by the state 
swaps originating from a scalarset with size n consist of at most nl states. The 
maximal theoretical gain that can be achieved using this set of automorphisms 
is therefore in the order of a factor n\. 



4.2 Computation of Representatives 

The representative of a state is defined as the minimal element of the symmetry 
class of that state w.r.t. a total order ^ on the symmetry class. In general. 
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the DBM representation of zones renders an efficient canonical minimization 
algorithm impossible, since minimization of a general DBM for any given total 
order using state swaps is at least as difficult as testing for graph isomorphism for 
strongly regular graphs [14]. If we assume, however, that the timed automaton 
that is analyzed resets its clocks to zero only, then the zones (DBMs) that 
are generated by the forward state space exploration satisfy the nice diagonal 
property. This property informally means that the individual clocks can always 
be ordered using the order in which they were reset. To formalize this, three 
binary relations on the set of clocks parameterized by a zone Z are defined: 



X 4z y ^ 


=4> t^{x) < v{y) 


(3) 


x^zy ^ 


=4> v{x) = v{y) 


(4) 


X ^z y ^ 


=4> {x =4z 2 / A ^(x y)) 


(5) 



The diagonal property is then defined as follows. 

Lemma 1 (Diagonal Property). Consider the state space exploration algo- 
rithm described in figure 6 of [21]. Assume that the clocks are reset to the value 
0 only. For all states (l,v,Z) stored in the waiting and passed list and for all 
clocks X and y holds that either x <z V, or x ~z y or y <z x. 

Using the reset order on clocks and the diagonal property, we can define a 
total order, say on all states within a symmetry class whose minimal element 
can be computed efficiently. To this end we first assume a fixed indexing of the 
set of clocks X\ a bijection p : X ^ {1, 2, . . . , jXj}. Now note that is an 
equivalence relation that partitions X in P = {Xi, X 2 , . ■ . , X„}. We define a 
relation on the cells of P as follows: 



Xi < Xj 4=^ (y^GXi.yGXjX diz y) (6) 

Clearly this is a total order on P. Let Xi be a cell of P. The code of Xi, 
denoted by C*{Xi), then is the lexicographically sorted sequence of the indices 
of the clocks in Xi (the set {p{x) \ x G Xii}). The zone code of the zone which 
induced P is then defined as follows. 

Definition 3 (Zone Code). Let Z be a zone and let P = {Xi, X 2 , . . . , Xn} be 
the partitioning of the set of clocks X under k.z such that i < j ^ Xi < Xj (we 
can assume this since < is a total order on P). The zone code of Z, denoted by 
C{Z), is the sequence (C*{Xi),C*{X 2 ), . ■ . ,C*{Xn)). 

Note that every zone has exactly one zone code since the indices of equivalent 
clocks are sorted. Moreover, zone codes can lexicographically be ordered, since 
they are sequences of number sequences. This order is then used in the following 
way to define a total order on the states in a symmetry class (the orders on 
the location vectors and variable valuations are just the lexicographical order on 
sequences of numbers): 
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(1) 


for all a £ Q do 




(2) 


for i = 1 to 


|a| do 


(3) 


for j 


= 1 to |a| — i do 


(4) 




if swap’^_^ .{q) -< q then 


(5) 




q ■.= swap'^_j^j{q) 


(6) 


od 




(7) 


od 




(8) 


od 





Fig. 3. Minimization of state q using the bubble-sort algorithm. The size of scalarset 
type a is deiroted by |a| 



^ (7) 

{I <l')\/ {1 = 1' Av <v')V {1 = 1' Av = v' A C{Z) < C{Z')) 

We minimize the state w.r.t. the order of equation (7) using the state swaps 
by applying the bubble-sort algorithm to it, see Figure 3. It is clear that this 
representative computation satisfies the soundness equation (1), since states are 
transformed using the state swaps only, which are automorphisms by Theorem 
1. We note that swap‘j_i j{q) is not computed explicitly for the comparison in 
the fourth line of the algorithm; using the statically derived 7, Da and Va (see 
section 4.1) we are able to tell whether swapping results in a smaller state. 

The following theorem states the main technical contribution of our work. 
Informally, it means that the detected symmetries are optimally used. 

Theorem 2 (Canonical Representative). The algorithm in Figure 3 com- 
putes a canonical representative. 

Note that we assumed that arrays that are indexed by scalarsets do not con- 
tain elements of scalarsets. Otherwise, computation of a canonical representative 
is as hard as graph isomorphism, but this is entirely due to the discrete part of 
the model, and not to the clock part. 

5 Experimental Results 

This section presents and discusses experimental data that was obtained by the 
Uppaal prototype on a dual Athlon 2000-1- machine with 3 GB of RAM. The 
measurements were done using the tool memtime, for which a link can be found 
at the Uppaal website http://www.uppaal.com/. 

In order to demonstrate the effectiveness of symmetry reduction, the resource 
requirements for checking the correctness of Fischer’s mutual exclusion protocol 
were measured as a function of the number of processes for both regular Uppaal 
and the prototype, see Figure 4. A conservative extrapolation of the data shows 
that the verification of the protocol for 20 processes without symmetry reduction 
would take 115 days and 1000 GB of memory, whereas this verification can be 
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Processes 

Fig. 4. Run-time data for Fischer’s mutual exclusion protocol showing the enormous 
gain of symmetry reduction. The step in the graph of the memory usage is probably 
due to the the fact that Uppaal allocates memory in chunks of a few megabyte at a 
time 



done within approximately one second using less than 10 MB of memory with 
symmetry reduction. 

Similar results have been obtained for the CSMA/CD protocol ([24, 27]) 
and for the timeout task of a distributed agreement algorithm^ [4]. To be more 
precise, regular Uppaal’s limit for the CSMA/CD protocol is approximately 
10 processes, while the prototype can easily handle 50 processes. Similarly, the 
prototype can easily handle 30 processes for the model of the timeout task, 
whereas regular Uppaal can only handle 6. 

Besides the three models discussed above, we also investigated the gain of 
symmetry reduction for two more complex models. First, we experimented with 
the previously mentioned agreement algorithm, of which we are unable to verify 
an interesting instance even with symmetry reduction due to the size of the state 
space. Nevertheless, symmetry reduction showed a very significant improvement. 
Second, we experimented with a model of Bang & Olufsen’s audio/video proto- 
col [13]. The mentioned paper describes how Uppaal is used to find a bug in the 
protocol, and it describes the verification of the corrected protocol for two (sym- 
metric) senders. Naturally, we added another sender - verification of the model 

^ Models of the agreement algorithm and its timeout task are available through the 
URL http: //www. cs .kun.nl/~martijnh/ 
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Table 1. Comparing the time and memory consumption of the relations for the 
agreement algorithm and for Bang & Olufsen’s audio/video protocol with two and 
three senders. The exact parameters of the agreement model are the following: n = 
2, / = 1, ones = 0, cr = 1, C 2 = 2 and d varied (the value is written between 
the brackets). Furthermore, the measurements were done for the verification of the 
agreement invariant only. Three verification runs were measured for each model and 
the best one w.r.t. time is shown 



Model 


Time [s] 

No reduction Reduction 


Memory [MB] 

No reduction Reduction 


Agreement (0) 


1 


3 


33 


45 


Agreement (1) 


21 


16 


294 


180 


Agreement (2) 


80 


23 


905 


245 


Agreement (3) 


231 


32 


2126 


321 


B&O (2) 


2 


1 


16 


10 


B&O (3) 


265 


36 


1109 


181 



for three senders was impossible at the time of the first verification attempt - 
and we found another bug, whose source and implications we are investigating 
at the time of this writing. Table 1 shows run-time data for these models. 



6 Conclusions 

The results we obtained with our prototype are clearly quite promising: with 
relatively limited changes/extensions of the Uppaal code we obtain a rather 
drastic improvement of performance for systems with symmetry that can be 
expressed using scalarsets. 

An obvious next step is to do experiments concerning profiling where compu- 
tation time is spent, and in particular how much time is spent on computing rep- 
resentatives. In the tool Design/CPN [18, 20, 11] (where symmetry reduction is 
a main reduction mechanism) there have been interesting prototype experiments 
with an implementation in which the (expensive) computations of representa- 
tives were launched as tasks to be solved in parallel with the main exploration 
algorithm. 

The scalarset approach that we follow in this paper only allows one to express 
total symmetries. An obvious direction for future research will be to study how 
other types of symmetry (for instance as we see it in a token ring) can be 
exploited. 
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Abstract. Times is a tool suite designed mainly for symbolic schedu- 
lability analysis and synthesis of executable code with predictable be- 
haviours for real-time systems. Given a system design model consist- 
ing of (1) a set of application tasks whose executions may be required 
to meet mixed timing, precedence, and resource constraints, (2) a net- 
work of timed automata describing the task arrival patterns and (3) 
a preemptive or non-preemptive scheduling policy. Times will generate 
a scheduler, and calculate the worst case response times for the tasks. 
The design model may be further validated using a model checker e.g. 
UPPAAL and then compiled to executable C-code using the Times com- 
piler. In this paper, we present the design and main features of Times 
including a summary of theoretical results behind the tool. Times can 
be downloaded at www.timestool.com. 



1 Introduction 

In classic scheduling theory, real time tasks (processes) are usually assumed to 
be periodic, i.e. tasks arrive (and will be computed) with fixed rates periodically. 
Analysis based on such a model of computation often yields pessimistic results. 
To relax the stringent constraints on task arrival times, we have proposed to use 
automata with timing constraints to model task arrival patterns [1]. This yields 
a generic task model for real time systems. The model is expressive enough to 
describe concurrency and synchronization, and real time tasks which may be 
periodic, sporadic, preemptive or non-preemptive, as well as precedence and re- 
source constraints. We believe that the model may serve as a bridge between 
scheduling theory and automata-theoretic approaches to system modeling and 
analysis. The standard notion of schedulability is naturally generalized to au- 
tomata. An automaton is schedulable if there exists a scheduling strategy such 
that all possible sequences of events accepted by the automaton are schedulable 
in the sense that all associated tasks can be computed within their deadlines. 
It has been shown that the schedulability checking problem for such models is 
decidable [1]. A recent work [6] shows that for fixed priority scheduling strategy, 
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the problem can be efficiently solved by reachability analysis on timed automata 
using only 2 extra clock variables. The analysis can be done in a similar manner 
to response time analysis in classic Rate-Monotonic Scheduling. 

The first main function of Times is developed based on these recent results 
on schedulability analysis. Its second main function is code generation. Code 
generation is to transform a validated design model to executable code whose 
execution preserves the behaviour of the model. Given a system design model 
in Times including a set of application tasks, task constraints, tasks arrival 
patterns and a scheduling policy adopted on the target platform. Times will 
generate a scheduler and calculate the worst-case response times for all tasks. 
The model may be further validated by a model-checker e.g. UPPAAL [9], and 
then compiled to executable C-code. We assume that the generated code will be 
executed on a platform on which every annotated task in the design model will 
not take more than the given computing time. Further assume that the platform 
guarantees the synchronous hypothesis in the sense that the times for handling 
system functions e.g. collecting external events can be ignored compared with the 
computing times and deadlines for the annotated tasks. Under these assumptions 
on the platform, code generation is essentially to resolve non-determinism in 
the design model. In Times, time non-determinism is resolved by the maximal 
progress assumption, that is, whenever a transition is enabled, it should be taken. 
External non-determinism in accepting events is resolved using priority order. 

The rest of the paper is organized as follows: the next section describes 
the core of the input Times language and its informal semantics. Section 3 
summarizes briefly the main theoretical work on schedulability analysis and code 
synthesis. Section 4 describes the main features of Times, the tool architecture 
and the main components in the implementation. Section 5 concludes the paper 
with a summary of ongoing work and future development. 

2 Task Models in Times 

The two central concepts in Times are task and task model. A task (or task type) 
is an executable program (e.g. in C) with task parameters: worst case execution 
time and deadline. A task may have different task instances that are copies of the 
same program with different inputs. A task model is a task arrival pattern such 
as periodic and sporadic tasks. In Times, timed automata are used to describe 
task arrival patterns. 

2.1 Tasks Parameters and Constraints 

Following the literature [4] , we consider three types of task constraints. 

Timing Constraints. A typical timing constraint on a task is deadline, i.e. the 
time point before which the task should complete its execution. We assume that 
the worst case execution times (WCET) of tasks are known (or pre-specified) . 
We characterize a task as a pair of natural numbers denoted (C, D) with C < D, 
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Fig. 1. Example of cyclic AND/OR precedence graph 
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13 



Fig. 2. An example semaphore access pattern 



where C is the WCET of P, D is the relative deadline for P. In general, the 
execution time of a task can be an interval [Cb,Cw] where Cb and Cw are 
the best and worst case execution times. The deadline D is a relative deadline 
meaning that when task P is released, it should finish within D time units. 



Precedence Constraints. The execution of a task set may have to respect 
some precedence relations. These relations are usually described through a prece- 
dence graph in which nodes represent tasks and edges represent precedence re- 
lation. In Times, we use cyclic AND/OR-precedence graphs in which we distin- 
guish ordinary and inter-iterative edges (denoted — [ 3 ] such that inter-iterative 
precedence constraints apply to all task instances except for the first one. An 
example of such graph is shown in Figure 1 . 

According to the graph, P4 can start its execution only if it is preceded by P3 
and either Pi or P2- The first instance of task Pi can start its execution at any 
time while any further instance of Pi must be preceded by task P4. 



Resource Constraints. Tasks may share resources or data variables protected 
by semaphores. A task must follow its given semaphore access pattern to lock 
and unlock semaphores, which is the resource constraint on the task. The access 
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to semaphores will be scheduled using priority ceiling protocols e.g. the highest 
locker protocol [10]. A semaphore access pattern for a task is a list of timed 
semaphore-operations in the form: {Si{Pi^ ^i)} where Si is the semaphore name, 
Pi is the accumulated execution time needed for the task to reach the lock- 
operation on Si and Vi is the accumulated execution time needed for the task 
to reach the unlock-operation on Si. The blocking time for Si is Vi — Pi. An 
example semaphore access pattern {5'i(3, 13)}; S'2(6, 11)} of a task is illustrated 
in Figure 2. The task will try to lock when it has been executed for 3 time 
units and it will lock it for 10 time units. 

2.2 Timed Automata as Task Arrival Patterns 

The core of the Times input language is timed automata extended with data 
variables [9] and tasks [5] and [7]. As in the UPPAAL model, each edge of such 
an extended automaton is labeled with three labels: 

1. A guard containing a clock constraint and/or a predicate on data variables. 

2. An action which can be an input or output action in the form of a! and a?. 

3. A sequence of assignments in the form: a: := 0 when a; is a clock or v := E 
when u is a data variable, where if is a mathematical expression over data 
variables and constants. 

A location of an extended automaton may be annotated with a task or a set of 
tasks that will be triggered when the transition leading to the location is taken. 
The triggered tasks will be put in a task queue (i.e. ready queue in operating 
system) and scheduled to run according to a given scheduling policy. The sched- 
uler should make sure that all the task constraints are satisfied in scheduling 
the tasks in the task queue. To model concurrency and synchronisation between 
automata, networks of automata are constructed in the standard way as in e.g. 
UPPAAL with the annotated sets of tasks on locations unioned. 

2.3 Shared Data Variables 

Four types of shared data variables can be used for communication and resource 
sharing: 

1. Tasks may have shared variables with each others, protected by semaphores. 

2. Tasks may read and update variables owned by the automata. 

3. Automata can read (but not update) variables owned by the tasks. 

4. Automata may have shared variables with each other. 

3 Analysis and Synthesis 

In Times, a timed automaton annotated with tasks (or network of such au- 
tomata) is considered as a design model. The tool offers two main functions: 
schedulability analysis of design models and generation of executable code from 
the models. 
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3.1 Schedulability Analysis 

In [7], an operational semantics for timed automata extended with tasks is de- 
veloped. A semantic state of such an automaton is a triple (l,u,q) where I is 
the current control location, u denotes the current values of clocks and data 
variables, and q is the current task queue keeping all the released tasks to be 
executed. The semantics of an automaton is defined by a transition system in 
which the transition rules are parameterized by a scheduling policy to schedule 
the task queue when new tasks are released. 

Given an extended automaton and a scheduling policy, the related schedula- 
bility analysis problem is to check whether there exists a reachable state (/, u, q) 
of the automaton where the task queue q contains a task which misses its given 
deadline. Such states are called non-schedulahle states. An automaton is said 
to be non-schedulable with the given scheduling policy if it may reach a non- 
schedulable state. Otherwise the automaton is schedulable. As the number of 
reachable states of an extended automaton is infinite, it is not obvious that the 
schedulability analysis problem is decidable. 

The first decidability result is presented at TACAS 2002 showing that the 
schedulability checking problem for the optimal scheduling policy i.e. EDF can 
be solved by reachability analysis on timed automata extended with subtraction 
on clocks. Consider an automaton A and a scheduling strategy Sch. To check if A 
is schedulable with Sch, we construct timed automata if(Sch) (the scheduler), 
and E{A) (the task arrival pattern), and check the reachability of a predefined 
error state in the product automaton of the two. If the error state is reachable, 
automaton A is not schedulable with Sch. 

The maximal number of clock variables needed in constructing the sched- 
uler automaton is 2n where n is the total number of schedulable task instances 
\Di/Ci\ where V is the set of task types, and Ci,Di are the computing 
time and deadline for each task type i. 

To construct E{A), the automaton A is annotated with distinct synchro- 
nization actions release,; on all edges leading to locations labeled with the task 
name Pi (assume that only one task is annotated). The actions will allow the 
scheduler to observe when a task is released by A for execution. The structure 
of if(Sch) is shown in Figure 3. 

The main idea is to keep track of the task queue, denoted by q on each step of 
the reachability analysis. Therefore in the encoding F(Sch) there is a transition 
with the guard nonschedulable{q) from every location where the queue is not 
empty (i.e. from all locations except Idle) to the error state. In the encoding, the 
task queue q is represented as a vector containing pairs of clocks (c^, di) for every 
released task instance, called execution time and deadline clock respectively. The 
intuitive interpretation of the locations in F(Sch) is as follows: 

~ Idle - the task queue is empty, 

~ Arrived (Pi) - the task instance Pt has arrived, 

— Run(Pj) - the task instance Pj is running, 

— Finished - a task instance has finished, 

— Frror - the task queue is non-schedulable. 
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Locations Arrived (Pi) and Finished are marked as committed, which means 
that they are being left directly after entering. 

We use the predicate nonschedulable(g) to denote the situation when the task 
queue becomes non-schedulable and naturally there is a transition labeled with 
the predicate leading to the error-state. The predicate is encoded as follows: 
3Pi G q such that di> Di. 

We use Sch in the encoding as a name holder for a scheduling policy to sort 
the tasks queue. A given scheduling policy is represented by the predicate: Pi = 
Hd(Sch(q)). For example, Sch can be: 

~ Highest priority first (FPS): Pi G g,VPfc G q Pri(P;) < Pri(Pk) where Pri(P) 

denotes the fixed priority of P. 

— First come first served (FCFS): Pi G q,yPk & q di > dk 

— Earliest deadline first (EDF): Pi G g,VPfc G q Di — di < Dk — dk 

— Least laxity first (LLF) : Pi G q, 'dPk G q Ci — di + Di — Ci < Ck~ dk + Dk~Ck 

For more detailed description of the automaton P(Sch), see [7]. 

Variant Execution Times. The analysis for tasks with constant execution 
times can be extended to deal with interval execution times: [Cig, Cii/^r] for each 
task Pi (the best case and worst case execution times). The idea is to modify the 
scheduler automaton as shown in Figure 4. We use Ci to keep track of the lower 
bound of the accumulated execution time for Pi, and Wi to denote the accu- 
mulated difference between best and worst completion time of Pi . Obviously Wi 
should be set to Ciyy — Cig in the beginning of task execution. Observe that 
each preemption will enlarge the difference for the preempted task with lower 
priority by the difference for the finishing task with higher priority. Accordingly, 
we modify the scheduler automaton as follows: The guard on edge from loca- 
tion Run(Pj) to Finished should be Cj^ < Cj < Cj^ + Wj and variable updating 
should be Ck ■= Ck — Cj^,Wk ■= Wk + Wj for all k such that preempted(Pfe). The 
rest of the scheduler automaton reamins the same as before. 




not(empty(q)) 

Pi:=Hd(Sch(q)) 



Fig. 3. Scheduler automaton 
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Fixed Priority Scheduling Policy. In a recent work [6], it is shown that 
the schedulability problem for Fixed Priority Scheduling Policy can be solved 
efficiently using ordinary timed automata with only two clock variables (in addi- 
tion to the original clocks used to describe task arrivals). For models with shared 
data variables (e.g. data dependent control when the values of data variables of 
a task may influence the release time of task instances), the number of clocks 
needed in the analysis is n -I- 1 where n is the number of tasks involved in the 
data sharing. More recently these results are extended to handle precedence and 
resource constraints [8] and implemented in Times. 

3.2 Code Generation 

The second main function of the tool is code generation. We consider automata 
extended with tasks as design models. Code generation is to transform a vali- 
dated design model to executable code whose execution preserves the behaviour 
of the model. We assume that the generated code will be executed on a platform 
on which every annotated task in the design model will not take more than the 
given computing time. Further assume that the platform guarantees the syn- 
chronous hypothesis in the sense that the times for handling system functions 
e.g. collecting external events can be ignored compared with the computing times 
and deadlines for the annotated tasks. Under these assumptions on the platform, 
code generation is essentially to resolve non-determinism in the design model. 



Deterministic Semantics. A model can exhibit two types of non-determinism: 
time non- determinism, i.e. that enabled transition can be taken at any time point 
within the time-zone, and external non- determinism i.e. that several actions may 
be simultaneously present from the environment. To overcome the problems 
introduced by this we adopt a deterministic semantics that define a subset of 
the behaviour. External non-determinism is resolved by defining priorities for 
action transitions in the controller. If several transitions are enabled in a state 
the one with the highest priority is taken. Time non-determinism is resolved 
by adopting the so-called maximal-progress assumption [11]. Maximal-progress 
means that the controller should take all enabled transitions until the system 
stabilises, i.e. no more action transitions are enabled. 
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Structure of the Generated Code. Times is currently able to generate code 
for a small generic operating system (brickOS), and code for platform indepen- 
dent execution. The generated code is in C and an optimising compiler is used 
to compile the final program. For both cases, the control structure of the timed 
automata is encoded into four tables and two functions. These are used by an 
event handling procedure which is invoked on events (such as timeouts and ar- 
rival of external events) to update the state of the controller. When an action 
transition has been executed the event handling procedure will continue to ex- 
ecute transitions until a stable state is reached, i.e. it implements the maximal 
progress or run-to-completion semantics. 



Code Generation for brickOS. brickOS is a small open source operating sys- 
tem designed to run on the Hitachi H8 equipped RCX control brick in the 
LEGO®Mindstorms system. We consider brickOS to be a reasonable example 
of a target platform running a small operating system. On this target we let the 
tasks execute as separate threads which are scheduled by the underlying operat- 
ing system. Due to limited support for interrupts the event handling procedure 
is executed every time the OS scheduler is executed (i.e. every 20 ms). 



Platform-Independent Code Generation. The platform independent target 
does not rely on any specific operating system, instead it implements its own 
run-time system based on the scheduler automaton created for schedulability 
analysis. The run-time system also includes code to handle task release and 
execution, and an event handler that is invoked periodically to poll for new 
events. The current implementation of the platform independent code can only 
handle non-preemptive tasks. 

4 Tool Overview 

In this section, we present the main features of Times, the tool architecture and 
the main components in the implementation. 

4.1 Features 

Figure 5 illustrates a design process using Times. As shown in the use case. 
Times offers the following main features: 

— Editor (see Figure 6) to graphically model a system and the abstract be- 
haviour of its environment. A system description consists of a task set and 
a network of timed automata extended with the tasks. 

A task is described by the task code (in C), its (worst-case) computation time 
and (relative) deadline, and if applicable optional parameters for priority (for 
fixed priority scheduling), period (for periodic tasks), and minimal inter- 
arrival time (for sporadic tasks). 
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It is also possible to specify precedence constraints on the tasks using an 
editor for AND/OR precedence graphs, and resource access patterns using 
semaphores. 

— Simulator (see Figure 7) to visualise the dynamic behaviour of a system 
model as Gantt charts and message sequence charts. The simulator can be 
used to randomly generate possible execution traces, or alternatively the 
user can control the execution by selecting the transitions to be taken. The 
simulator can also be used to visualise error traces produced in the analysis 
phase. 

— Analyser to check that the tasks associated to a system model are guar- 
anteed to always meet their deadline. In case schedulability analysis finds 
a task that may fail to meet its deadline, a trace is generated and visualised 
in the simulator. It is also possible to compute the worst-case response times 
of individual tasks. Recently, an improved schedulability analysis algorithm 
has been developed for tasks with fixed priorities without dependencies [6]. 
The schedulabilty analysis has also been extended to handle resource and 
precedence constraints [8]. In addition to scheduling, it is possible analyse 
safety and liveness properties specified as temporal logic formulae. 

— Compiler to generate executable C code from timed automata with tasks. 
The compiler assumes that the target platform ensures the asynchronous 
hypothesis and that the task code can be executed in the specified computa- 
tion time. To produce executable code, the compiler relies on a deterministic 
refinement of the semantics that realise a subset of the behaviour specified 
in the timed automata of a system model. In this way, the generated code is 
guaranteed to satisfy analysis results from e.g. schedulabilty analysis when 
executed on the target platform. The currently implemented compiler sup- 




Fig. 5. The design process using Times 
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Fig. 6. The Times editor 



ports code generation for: the brickOS operating system (that uses the sched- 
uler in the brickOS runtime system), platform independent code (C code for 
GNU gcc, including code for a scheduling policy), and code for the Animator 
of Times. 

— Animator to transform hybrid automata modeling the controlled environ- 
ment into C code simulating the controlled objects in the environment of 
the embedded system. The simulated environment enables the designer to 
experiment with the design prior to implementation. 



4.2 Implementation 

The architecture of the Times tool is illustrated in Figure 8. Logically it is 
divided in three main parts: 

— Graphical User Interface consisting of editors, simulator, analyser, and 
animator, as described above. The graphical user interface is implemented 
entirely in Java and uses XML to represent the system descriptions both 
internally and externally (on file). 

— Server consisting of two parts: a scheduler generator implemented in Java, 
and a module for schedulabilty analysis based on the Up pa a I engine [9] with 
extensions, like the rest of the Uppaal engine implemented in C-I--I-. The 




70 



Tobias Amnell et al. 




Fig. 7 . The Times simulator 



scheduler generator produces a scheduler automaton based on input from the 
editor, which is composed in parallel with an annotated version of the original 
system automata. The parallel composition is analysed by on-the-fly reacha- 
bility techniques in the schedulabilty analysis module. Currently supported 
scheduling policies are: rate monotonic, deadline monotonic, fixed priority 
scheduling (with user defined priorities), earliest deadline first (EDF), and 
first come first served (FCFS). All scheduling policies support preemptive or 
non-preemptive task sets. 

— Compiler that takes as input the XML system representation from the edi- 
tor and the task code segments to produce executable code of the application. 
The generated code consists of three main parts: a set of C-functions (look- 
up tables) representing the automata of the system representation, a generic 
part storing and updating the current state according to the look-up tables, 
and possibly an implementation of the scheduling strategy (in case platform 
independent code is produced). 



5 Applications and Current Development 

Case Studies. Currently we are in the process of using Times to verify reliable 
message transmission with TTCAN (Timed Triggered CAN). So far, the only 
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non-trivial example using Times is the development of the control software of 
a production cell (a well-studied case in verification), consisting of an industrial 
robot, a press and two transportation belts to process and move metal plates. 
The robot controller is designed as a timed automaton annotated with tasks. 
A complete description of the case study can be found in [2]. It is a non-trivial 
application involving 12 tasks (task types), 7 automata, 17 integers, 24 booleans 
and 31 clock variables (7 in the model and 24 in the scheduler). The schedulabil- 
ity (and a number of other requirements) of the system is verified on a machine 
equipped with two 1.8 GHz AMD processors and 2 GB of main memory, run- 
ning Mandrake Linux. Times consumes 207 MB of memory and terminates in 
11 minutes. Using the option for over approximation (based on the convex- hull 
approximation, the analysis requires only 13 MB and 9 seconds on the same 
machine. 

UML SPT Profile. SPT (Scheduling, Performance, and Time) specification 
is a UML profile developed recently as an extension of the UML standard to 
model time and time-related aspects of embedded systems. An ongoing work has 
been initiated with I-Logix to develop Times as a plug-in tool for schedulability 
analysis of UML diagrams in Rhapsody, annotated with stereotypes, constraints, 
and tag definitions according to the UML SPT profile. 
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Abstract. Research on optimization of timed systems, as e.g. for com- 
puting optimal schedules of manufacturing processes, has lead to ap- 
proaches that mainly fall into the following two categories: On one side, 
mixed integer programming (MIP) techniques have been developed to 
successfully solve scheduling problems of moderate to medium size. On 
the other side, reachability algorithms extended by the evaluation of per- 
formance criteria have been employed to optimize the behavior of systems 
modeled as timed automata (TA). While some successful applications to 
real-world examples have been reported for both approaches, industrial 
scale problems clearly call for more powerful techniques and tools. 

The work presented in this paper aims at combining the two types of 
approaches: The intention is to take advantage of the simplicity of mod- 
eling with timed automata (including modularity and synchronization), 
but also of the relaxation techniques and heuristics that are known 
from MIP. As a first step in this direction, the paper describes a trans- 
lation procedure that automatically generates MIP representations of 
optimization problems formulated initially for TA. As a possible use of 
this translation, the paper suggests an iterative solution procedure, that 
combines a tree search for TA with the MIP solution of subproblems. 
The key idea is to use the relaxations in the MIP step to guide the tree 
search for TA in a branch-and-bound fashion. 

Keywords. Branch-and-Bound Techniques, Discrete Optimization, 
Mixed-Integer Programming, Scheduling, Timed Automata. 



1 Introduction 

Optimizing the behavior of timed systems is essentially characterized by making 
decisions of two distinct types: one is to determine that sequence of steps (or ac- 
tions) that optimizes a given performance criterion, the other is to fix the points 
of time at which the steps are started (and/or terminated). Often the considered 
performance criterion either formulates the maximization of the number of steps 
carried out in a given period of time, or the minimization of overall time (or 
more general costs) to perform a pre-specified set of steps. An example for the 
latter is job-shop scheduling which will be considered in this paper. 
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Several different approaches have been developed to solve optimization prob- 
lems that combine logical decisions (as the sequence of the steps) with time re- 
quirements: One is to start from timed formal models, as e.g. Timed Automata 
(TA), and to search for the path that optimizes the performance criterion within 
the tree of possible evolutions of the model. The methods described in [1] and [3] 
are examples that follow this line. These approaches can be seen as an exten- 
sion of reachability techniques for TA (see e.g. [14, 18, 9]) by a mechanism that 
selects preferable feasible paths according to a cost criterion. 

An alternative is to formulate the sequence of steps and the time information 
as a system of algebraic (in-)equalities involving binary and continuous variables, 
and to use these equations as constraints of an optimization problem. The latter 
approach has been studied extensively by the optimization community in the last 
decades, including mathematical programming (see e.g., [10, 13, 15, 12, 11, 7]), 
constraint programming (e.g., [2, 11]), and evolutionary algorithms (e.g., [5]). 
These methods differ in their efficiency in finding feasible and optimal solutions 
and in the encoding of constraints. The ability to optimize some real-world ex- 
amples modeled as timed systems has been demonstrated for these techniques. 
However, in order to solve industrial-size scheduling problems, the efficiency of 
available techniques must be improved. 

This paper aims at going a step in this direction by combining the benefits of 
a TA-based approach with mathematical programming. To the authors’ opinion 
the advantages of the earlier are (a) the simplicity of modeling (employing de- 
composition and synchronization) and (b) the fact that the sequential evolution 
of TA naturally translates into a search tree (where the depth reflects the num- 
ber of transitions by which the automaton is evolved). Both points appear to 
be less favorable in the case that the behavior of a timed system is modelled by 
algebraic (in-) equalities that serve as constraints in a mixed-integer program. In 
addition, the formulation of transitions between different steps requires the use 
of binary (and continuous) auxiliary variables that usually worsen the solution 
performance. On the other hand, mixed-integer solvers use relaxation techniques 
(within a branch-and-bound procedure) that were proven to be very successful 
for many applications. The idea is to initially relax the integrality constraint on 
the binary variables, i.e., to assume that they can take any values in the interval 
[0, 1]. The solution of an optimization problem with such ’relaxed’ variables is 
then used as a lower bound to cut off branches of the solution tree which are 
proved to be suboptimal. Values of such relaxed variables can also be used to 
determine a value assignment for the original binary variables. 

To the authors’ knowledge, the use of this particular heuristics has not yet 
been explored for the optimization of TA. Hence, the objective of this paper is 
to connect the modeling advantage of TA with the relaxation principle of mixed- 
integer approaches. As a first step in this direction, the paper describes a pro- 
cedure to transform a class of optimization problems for timed automata into 
a corresponding mixed-integer programming formulation. In the second part, we 
show how this transformation can be used within an optimization algorithm that 
combines tree search with the idea to guide the search by relaxations. 
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2 Scheduling for Timed Automata 

In this section we focus on scheduling problems as a special class of optimization 
problems for timed systems. However, the transformation described in Sec. 3 
and the solution algorithm in Sec. 4 extend straightforwardly to other optimiza- 
tion tasks for timed systems. Scheduling problems typically arise in production 
processes, where specified quantities of different products must be available at 
given dates and where a limited amount of resources is available for production. 
The production of a certain product, called a job, consists of a set of tasks, each 
of which requires a set of resources for a certain period of time. Each task can 
consume certain amounts of intermediate products, and produces supplies to 
other parts of the production chain or final products. The task to be solved is to 
decide when a certain amount of a particular product should be processed and 
which resources are used. 

Many special cases of this general problem are known and lead to simplified 
versions, for which special solution algorithms are known. In this paper, the 
general class of job-shop scheduling problems is considered, in which jobs are 
modeled as different sequences of tasks and are executed on different machines. 
Such problems are known to be NP-hard, and polynomial algorithms only exist 
for special cases. 

In the following, we first summarize the status of mixed-integer programming 
approaches to scheduling problems, and then restate a variant of TA known from 
literature that is suitable to formulate scheduling problems. 

2.1 Solving Scheduling Problems by Mixed-Integer Programming 

In a scheduling problem, there are usually discrete as well as continuous decision 
variables. In the mathematical programming approach, the structure of the pro- 
duction process, the precedence relations, and the resource consumption of the 
jobs, as well as technological restrictions are modeled by (in-) equalities involving 
integer and real variables. Besides the decision variables, usually a large number 
of auxiliary variables (many of which are again integer variables) are needed. 
By choosing a linear cost criterion and by applying transformation techniques 
to nonlinear (in-) equalities [17], many problems can be described by (usually 
large) sets of linear constraints. The solution of these problems, termed Mixed- 
Integer Linear Programs (MILPs), means the computation of a set of valuations 
of the variables that satisfies the constraints and minimizes the cost function. 
For this task, efficient techniques based upon the relaxation of the integrality 
constraints, branch-and-bound techniques, cutting-plane methods, etc. exist. For 
the solution of MILPs, highly efficient commercial solvers, as e.g. CPLEX [6], 
are available. However, the efficiency of MILP solvers depends very much on 
the specific problem. While the efficient solution of some problems with several 
10000 binary variables has been reported, other problems with just 100 variables 
can be very hard to solve [10]. 
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2.2 Scheduling Problems Modeled by Timed Automata 

A version of timed automata (TA) that has been used in the context of scheduling 
is that of linearly priced timed automata (LPTA) [3]. LPTA are TA extended by 
costs for locations and transitions. We here restate some essentials of the formal 
definition given in [3] since it is used as the basis of the transformation procedure 
described in Sec. 3. 

Definition 1. A LPTA is a tuple (L,Iq, P) with a finite set L of locations, 
the initial location Iq, the set E C L x B{C) x Act x V{C) x L of transitions, 
where Act is a set of actions, B{C) are constraints over a set C of clocks (given 
as conjunctions of atomic formulae x~n or x — y ^ n with x,y € C, {<) < 
>}, n G and V{C) is a set of reset assignments; I : L ^ B(C) defines 
invariants for the locations and P : (L U E) —f N assigns prices to locations as 
well as transitions. A transition (l,g,a,r,V) € E between source location I and 
target location I' is denoted by I V . 

For LPTA that are synchronized over their sets of actions, parallel composition 
is defined as follows: 

Definition 2. For two LPTA Ai = {Li,lifi,Ei,Ii,Pi),i = 1,2 with action 
sets Acti and Act2, the parallel composition is defined as A1HA2 = (Li x 
L2,{h,o,l2,o),E,I,P) where I = {li,l2),I{l) = Ii{h) /\ 12(12), and the costs as- 
signed to locations are combined according to P(l) = hi(Pi(/i), ^2(^2)) with 
a mapping : Q X Q — > Q. A transition I /' exists for A1HA2 iff gi, ai, 
and ri exist for Ai such that: f l'.^ g = /\ g^, r = ri U r2, and Act C 

ActiUjO} X Act2U{0}, a := (01,02) G Act (with a no-action symbolO). The costs 
assigned to transitions follow from P((l,g,a,r,l')) = hE(P((li,gi,ai,ri,l()), 
P((h, 92, a2, V2, 12))) with a function /ib : Q X Q — > Q. 

With respect to the semantics, we refer to the formal definition given in [3]. 
Informally, an evolution of LPTA is a trace a consisting of a finite sequence 
of n transitions. Along this sequence, the costs sum up according to cost(a) = 
12^=0 Pi, where pi contains the cost accumulated according to d-P(l) while being 
in location I for a duration d, and the cost contribution P(l,g,a,r,l') assigned 
to the transition by which I is left. If (I, u) denotes a state of the execution trace 
with It as a valuation of all clocks, the minimum cost of (I, u) is defined as the 
minimal costs of all traces that lead to (I, u). The optimization of an LPTA hence 
corresponds to the search for a trace that ends in (l,u) with minimum costs. 

Using this definition of LPTA, job-shop scheduling problems can be formu- 
lated easily: A job is defined as a sequence of tasks which must be processed 
on a limited set of resources. Each job is modeled by a separate LPTA that 
contains two locations per task, one that represents that the task is waiting for 
being processed, and one that is modeling that the task is executed on an avail- 
able resource. In addition, a job automaton contains a final state denoting that 
the complete set of tasks is finished. A simple example of one job ( JI) with two 
tasks that are executed on two resources (MI, M2) is shown in Fig. I. While 
this example contains only timing constraints, the prices introduced in Def. 1 are 
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Fig. 1. Model for a job with two tasks that are executed on two resources Ml and 
M2 for 2 and 5 time units respectively. The clock u is used to model timing constraints. 
The states of the job automaton are denoted by a to e, and the resource states by x 
and y 

useful to model that processing a task on different resources leads to different 
costs. Each resource is modeled as a separate LPTA that contains two locations, 
one of which represents that the resource is allocated by a task, and one that 
represents that the resource is available. The transitions of a resource automaton 
and a task automaton synchronize each time when a task is started and finished. 

If the scheduling problem is formulated in this manner, search algorithms like 
those published in [1, 3] can be applied. If a feasible solution exists, the result is 
the cost-optimal path into the desired state, which is that all specified jobs have 
been processed. 

3 Transformation of TA into Mixed Integer Programs 

We now present a mixed-integer linear program (MILP) formulation that is 
equivalent to a job-shop scheduling problem modeled by a set of task and resource 
LPTA. The MILP formulation retains the modularity of the automaton model, 
with communication realized by synchronization. 

3.1 Model Formulation 

The following formulation is structured such that it can be directly implemented 
in the algebraic modeling language GAMS [4] . The latter has become a standard 
specification language for mathematical programs and is the input format for 
various solvers including CPLEX. We first list the index sets, parameters and 
variables involved in the formulation, and then the (in-) equalities that estab- 
lish the transition structure, the clock dynamics, and the synchronization of 
LPTA. Some of these (in-) equalities are based on the disjunctive formulations 
introduced in [16]. 

We assume here for simplicity of notation that each automaton has the same 
number of locations { til ), clocks (nc), transitions {tit), clock constraints (nc), 
and points of time {tik) at which transitions occur. This assumption does not 
limit the generality, i.e., the extension to different sets for each automaton is 
straightforward. 
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Index Sets 

— Automata: A = {ai, . . . , a„^}; 

— Clocks: C = {ci, . . . , Cnc}', 

— Locations: C = {h, . . . Jul}'! 

— Transitions: T = {ti,. . . , } U {r}; 

~ Discrete points of time: K. = {ki, . . . , each of these points corresponds 
to an instant of time at which a transition is taken, i.e., a task is started or 
finished. Since only jobs with a finite number of tasks are considered (and 
the corresponding job LPTA are acyclic) the set 1C is finite; 

— Clock constraints: G = {gi, • ■ ■ , ffnc}- 

Constants and Parameters 

— State invariant matrices: Aj G Q^AxriLxnaxnc g QUAxnLxna ^ Pqj. 

a specific automaton a and a location /, these matrices model the invariant 
as a polyhedron < bi{a,l,»), where ^ G and • represents 

the dimensions of clocks and invariant conditions; 

— Transition guard matrices: Ac € Q^^x^rxncxnc ^nd be G Q'^AxnTxnc. 

— Cost rates CL{a,l) G Q assigned to locations (corresponding to the prices 
P{1) in LPTA); 

— Transition costs CT{a,t) G Q (corresponding to the prices P{{l,g,a,r,l')) in 
Def. 1); 

— Reset vectors for transitions: r{a,t,c) G {0,1}, the components of which are 
zero for clocks that are reset by a transition, and which are one otherwise; 

— Parameters w{a,l,tJ') C {0,1} that define the automaton topology, i.e., 
w{a,l,tA') = 1 denotes that a transition t exists for automaton a between 
location I and location I'; 

— Indicators for transition sources: f{a,l,t) € {0,1}, where f{a,l,t) = 1 de- 
notes that location I of automaton a has an outgoing transition t; 

— Synchronization indicators: s(a,t, a',T), where s(a,t, a',t') = 1 indicates 
that the transition t of automaton a and the transition t' of a' are synchro- 
nized. (Obviously, these parameters are defined symmetrically: s(a, t, a' , t') = 
s{a' , t' , a, t) for a yf o'; 

— Constants m, M G Q, where m is small and M large compared to the left- and 
right-hand sides of the inequalities formulating the guards and invariants. 



Variables 

— Variables for clock valuations at the instants when a location is reached: 
x(a,c, k) G Q; 

— Variables for clock valuations at the instant when a location is left: 

y{a,c,k) G Q; 

— A clock variable for each automaton: z{a, k) G Q. These variables are re- 
quired to ensure that synchronized transitions are taken simultaneously. 
They are never reset to zero; 
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— Location indicator variables /, k) G [0, 1], that specify the current loca- 
tion of each automaton at every point of time (Note that these variables are 
forced to zero or one by the equations listed below.); 

~ Transition indicator variables dT{a,t,k) G [0,1] for all transitions; 

— Variables that indicate the period of time during which an automaton does 
not change its location: A{a, k) G Q; 

— Variables that combine the information about the current locations and tran- 
sitions: dLT{aJ,t,k) G [0,1]. 



(In-)Equalities for Static Dependencies 

— Each automaton is always only in one of its locations: fc) = 1 

for all a G A,k G 1C. 

— In every point of time in /C, each automaton takes always one of its transitions 

(possibly a self-loop transition): t, fe) = 1 for all a G A,k C JC. 

— Restriction to valid combinations of locations and outgoing transitions: each 
variable dLT{a,l,tA) is set to 1 iff dT{a,t,k) = 1 and dL{a,l,k) = 1 for 
CL G A^ I G if, t G 'T k G /C: 

dLr{a, I, t, k) < f{a, I, t) ■ dL{a, I, fe), 
dLr{a, I, t, k) < f{a, I, t) ■ dr{a, t, k), 
dLr{a, l,t, k) > f{a, l,t) ■ {dL{a, I, k) + driaA, k) - 1). 

— In every point of time, only one transition can occur for a source transition: 

■ ^lt{cl, I, t, fc) = 1 for all a G A, k C 1C. 

(In-)Equalities for the Linearization of Nonlinear Constraints 

— Since the objective is to obtain an optimization model that exclusively con- 
tains linear constraints, products of variables have to be linearized. This is 
achieved by first introducing the following constraints and additional auxil- 
iary variables: 

o x‘l{a, c, k, 1) := x{a, c, k) ■ dL{a, I, fc), 
o yf{a, c, k, 1) := y{a, c, k) ■ dL{a, I, k), 
o y^{a, c, k, t) := y{a, c, k) ■ dr^a, t, k), 
o c'[{a, I, k) := Z\(a, k) ■ d^^a^ /, k). 

By applying the transformations described in [16], these constraints can then 
be written in linear form. 

— It has to be encoded that the check, whether a transition guard is satisfied, 
is only relevant when a transition is taken: 

Y^cdC ^c(a, g, c) • Vria, c, k, t) < dr{a, t, k) ■ 6c(a, g) for all a e t G 
T,g gGAcIC. 

— Location invariants are checked when a location is reached: 

ScgC c, k, 1) < dL{a, I, k) ■ bi{a, l,g) for all a G Z G 

C.,g G G , k G 1C, 

— and when a location is left: 

X[ogC ^r(o, ^ ff, c) • y‘l{a,c,k,l) < dL{a,l,k) ■ bi{a,l,g) for all a G A, I G 
C., g G G , k G 1C. 
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Formulation of the Clock and Transition Dynamics 

— Staying in locations: y{a, c, k) = x{a, c, k) + A{a, k) for all a G yf, c G C, fc G 
1C. 

— A location I' of automaton a becomes active, iff one of its predecessor loca- 

tions I was active and the connecting transition t from I to I' is taken: 
d,L{a, I', fc -I- 1) = ■ ^Lxia, I, t, k) for all I' G C,k G 

JC \ G A. 

— Clock resets triggered by transitions: x{a, c, fc -I- 1) = 
kjt^j a G A, c G 0 ^ k G JC. 

— Assignment of the clock valuations: z{a, fc + 1) = z{a, fc) + A{a, fc) for all 
Q. G A, fc G JC. 



Synchronization Equations 

— If required by the synchronization indicators, two transitions are synchro- 
nized: 

s(a, t, a', f) ■ dria, t, fc) < , fc^ t') for all a, a' G A, 

t,t' gT, kG JC. 

— If two transitions of two automata are synchronized (as indicated by s(a, 

= I), the following inequalities ensure that the clocks z{a,k) and 
z{a' , fc') have the same values: 

s(a, t, o', t')-{z{a, k)—z{a', fc')) < s(a, t, o', t')-M-(2—dT{a, t, k)—dT(a', t' , fc')) 
s(a, t, o', t ) ■ {z{a, fc) — z{a', fc')) > — s(a, t, o', t') • M • (2 — dria, t, fc) — dr^a', 
t', fc')) for all a, a' G A, t, t' G T, and fc, fc' G /C. 

If a transition is not synchronized with any other, then all parameters s re- 
ferring to this transition are set to zero (i.e., no-action symbols are implicitly 
assumed) . 

In addition to the items listed here, non-negativity constraints and bounds for 
some variables have to be specified. 

3.2 Objective Function 

The costs of a trace of the timed automaton are defined as the sum of all tran- 
sition costs plus the cost rates of locations multiplied by the durations in which 
the locations are active: 

min 17, with: (1) 

cf,dT 

17 = ^ ^ ('^ci{a,l,k) ■ c^{a,l) + ^dr(a,t, fc) • c^{a,t)j ■ (2) 

aeAkeic \iec teT ) 

Simplified versions of this objective function are sometimes used in scheduling. 
One is to accumulate costs only if a job automaton reaches its final state de- 
layed, i.e., later than a specified deadline. Another alternative is the makespan 



Optimization of Timed Automata Models Using Mixed-Integer Programming 



81 



minimization, in which simply the time is minimized at which the last task is 
terminated. Then the objective function reduces to: 

min f2, where fl > z{a, k) y a G A,k G 1C. (3) 

ci,dT 

3.3 Solution Procedure 

In order to determine the optimal schedule, the following steps are carried out: 

1. Each automaton used for modeling the scheduling problem is transformed 
into a corresponding MILP representation according to the scheme presented 
above. 

2. The MILP model has to be initialized by assigning the value one to the 
location indicator variables that correspond to the initial states. Similarly, 
the final states (in which all job automata have reached their terminal states) 
are specified for k = Uk- Furthermore, all clock variables are initialized to 
zero. 

3. The MILP model together with a chosen objective function can then be 
solved by a MILP solver. 

4. Finally the optimal schedule is extracted from the optimization result. The 
solution contains valid values for all x and y variables representing the start- 
ing and finishing times of tasks. These values lead straightforwardly to a valid 
schedule that meets all restrictions. In addition, from the variables (1l and dx 
that have the value one, the traces of each single LPTA can be easily con- 
structed. 



3.4 Illustrative Example 

In order to illustrate the transformation step, the simple scheduling problem 
introduced already in Fig. 1 is considered again. The two job automata interact 
with the two resource automata through synchronization labels. In automaton 
JI, the first transition labeled by aJlMl is used to allocate the resource Ml. The 
second transition is used to free the resource through the synchronization f JlMl. 
Similar synchronization is used for the second task in which M2 is allocated and 
freed. The automaton J2 for Job 2 is identical except of the labels and the task 
durations (5 time units for task 1, and 2 time units for task 2). Of course, both 
resource automata include corresponding synchronized transitions for the second 
job. This model was implemented in the GAMS language with 5 discrete points 
of time for each automaton. The resulting MIP model has 2450 equations, 903 
single variables and 60 binary variables. The solution on a 2.4 GHz machine took 
0.6 seconds and a schedule with a makespan of 9 has been found to be optimal 
in the 60th branch-and-bound node. It is shown as schedule S'! in Fig. 4. 

It should be remarked that variations of the MILP encoding of LPTA are 
conceivable; but we found the scheme presented here to be an efficient one with 
respect to the solution performance. It has to be considered however, that the 
transformation scheme maintains the modularity and the synchronization of the 
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LPTA used to model the jobs and resources. If one alternatively first composes 
the automata and then applies the transformation scheme to the product, the 
components required to model the synchronization variables vanish from the 
MILP program. 

4 Combining TA Optimization with MIP Relaxations 

With an increasing complexity of the LPTA model, the number of binary and 
continuous variables in the MILP representation grows quickly, and makes an 
efficient solution difficult. In order to reduce this effect, we now sketch an idea 
that combines the tree search for LPTA with the relaxation principle used in 
MILP techniques. 

The known procedure to determine a cost-optimal path for LPTA is to build 
a search tree starting from the initial state and to extend the branches according 
to reachability criteria. This means that a node of the tree is extended by suc- 
cessor nodes that represent locations which are reachable by single transitions 
(the guard of which is enabled). Hence, a branch of the tree corresponds to the 
sequence of locations that are encountered during a possible evolution of the au- 
tomaton. The costs accumulated along the path are used to assess the path, and 
the search is directed by this assessment. In [8], the branch-and-bound principle 
is used in this context, that means branches for which the accumulated costs 
are higher as for the best solution found so far, are cut (i.e., are not further 
explored). However, it is obvious that this type of search can only operate with 
costs accumulated up to the current node, but does not consider a cost-to-go. 

Existing MILP techniques also build a search tree, but a node here represents 
a state in which a certain subset of discrete variables is fixed to integer values, 
while the remainder is not. A key difference to the search for TA is that in 
MILP complete paths from the initial location to the target location (’all jobs 
are processed’) are considered in each step. In each node a linear program (LP) 
is solved in which the discrete variables, that are not yet fixed, are treated 
as continuous variables. The solution of the LP defines a lower bound for the 
cost of the original problem. This bound can be used to select which discrete 
variables are fixed next to particular values. Since this criterion is applied quite 
successfully in MILP, the objective is to embed it into the tree search for LPTA. 

The following procedure is suggested. The tree search including the branch- 
and-bound principle is carried out as sketched above. However, in each encoun- 
tered node the following is done: The LPTA model is transformed into the corre- 
sponding MILP representation using the scheme described in Sec. 3. The degrees 
of freedom that are fixed already by the previous evolution of the LPTA model 
result in fixed variables of the MILP model; specifically, the corresponding vari- 
ables d,T{a, /, k) and A(a, k) are treated as parameters with constant values. The 
remaining discrete (respectively binary) variables are relaxed, i.e., are treated 
temporarily as continuous variables. The optimization is then solved as a linear 
program which returns a lower bound for the overall cost. The difference between 
this lower bound and the accumulated cost for the current node of the tree search 
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can be interpreted as an estimation of the cost-to-go. The values of the relaxed 
variables that correspond to the lower bound are taken as hints which further 
evolution of the automaton should be investigated first. In the simplest case that 
can be done by rounding the solutions for the relaxed variables to the nearest 
integer values and translating these values back into a path of the automaton. 
Even more importantly, the lower bounds are used to cut branches of the search 
tree, if the lower bound obtained for a particular node has a already a higher 
value as the costs of the best solution found so far. 

The procedure is repeated by alternating between exploring the search tree 
and evaluating a relaxed MILP model. Note that by fixing variables in each step, 
the complexity of the LP problems decreases along a branch of the tree. 

Figure 2 formulates this procedure as a high-level algorithm: Assume that A 
denotes the parallel composition of all job and resource automata. Let Lf C L 
denote the subset of final locations of A, in which all job automata have reached 
their final location. Furthermore, we use the notion of zones which are essentially 
polyhedra in the clock space that specify the reachable subset of the location 
invariants. See [3] for more details on zones. Note that we here again consider 
the case of makespan minimization, i.e., considering clock valuations (in terms 
of zones) is a sufficient to evaluate the cost criterion. 

Within the algorithm, the MILP model is denoted by M, and we use three 
lists Passed, Waiting, and Succ. Elements of these lists are triples {I, Z, h) con- 
sisting of a location I, a zone Z, and a lower bound b for the costs 17. The 
algorithm in Fig. 2 then realizes the procedure of iteratively computing the suc- 
cessor location of the LPTA, computing a lower bound by solving the relaxed 
MILP program, and cutting branches in the search tree by comparing accu- 
mulated costs and lower bounds with the minimal cost value obtained so far. 

In order to illustrate the algorithm, we reconsider the example introduced in 
Fig. 1 and used in Sec. 3.4. A search tree is formed for the composition of all job 
and resource automata starting with the initial state (a, a, x, x). The final state 
is the one in which all jobs are completed and all resources are idle: (e,e,x,x). 
For each node, the accumulated time is recorded, the current state is fixed in 
the corresponding LP model, and the latter is solved. Its solution is assigned as 
a lower bound to the current node. The search tree is visualized in Fig. 3. For 
the sake of clarity, only the minimal accumulated time (to reach the state) and 
the lower bound but not the complete zones are shown in the tree. Since the 
search strategy used in this example is best-lower-boimd search, the procedure 
quickly finds the path leading to the final state within 9 time units - this path 
represents the optimal schedule with the minimal makespan. Other paths are not 
completely explored because lower bounds encountered at an intermediate state 
are greater than the best found solution. This cutting rule is the same as the one 
commonly used in branch-and-bound techniques; it allows here to cut off large 
parts of the search tree for LPTA: In our example, only 14 of 47 nodes of the 
tree have been explored. The dashed nodes and transitions show two suboptimal 
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i7 oo 
Passed 0 

M = Transform(A) / / transform the LPTA into the MILP model 

Mr = Relax(A) / / relax the binary variables of M 

bo = SOLVE_LP(Mr) // solve min{Q) by linear programming 

Waiting ~ {{lo, Zq, bo)} 

WHILE Waiting / 0 

(l,Z,b) = SELECTREMOVE(Waitmgi) such that b is minimal 

/ / realizes a best-lower-bound-first search strategy 

W IG Lf THEN 

IF min(Z) < Q THEN 
17 := min{Z) 

END 

ELSE 

IF fe < 12 AND min{Z) < 12 THEN 

Succ = ComputeSuccessors(A, [I, Z, b)) 

II list of successors {l',Z',—) 

Succ' ;= Succ \ {Passed n Succ) 

FOR ALL {l',Z',-)G Succ' DO 

M; = UPDATEMr(M^, (/', z')) 

//fix variables for transitions into (I', z') 
b' = Solve_LP(M/) 

Waiting := Waiting U {{I' , Z' ,b')} 

END 

END 

END 

Passed := Passed U {{I, Z, fo)} 

END 

Fig. 2. Optimization algorithm for LPTA using relaxations and brand-and-bound 
principles 



schedules, for which it is clear from Fig. 4 that the corresponding schedules S2 
and 53 in Fig. 4 are not preferable over 51 due to the larger makespan. 

5 Conclusions 

The contribution of this paper is two- fold. First it introduces a procedure to 
transform a minimization problem formulated for LPTA into a corresponding 
MILP. The transformation scheme can either retain the modular structure and 
the synchronization of the separate automata, or one can first determine the 
automata product and then apply the transformation to the result. The trans- 
formation scheme can straightforwardly be written algorithmically, and can thus 
be fully automated. Hence, the transformation procedure as such allows specify- 
ing the optimization problem as LPTA (what appears to be easier than starting 
with an algebraic model directly) and to proceed then with a set of established 
MILP techniques. 
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S3 



SI 



S2 



Fig. 3. Search tree for the composed LPTA model. The states and transitions drawn 
with solid lines represent the parts encountered within a best-lower-bound-first search. 
Elements drawn with dashed lines correspond to suboptimal schedules. Each node is 
decorated with a pair consisting of accumulated time and lower bound (the latter 
obtained from solving a linear program) 




Fig. 4. Three out of eight possible schedules computed for the example 
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However, using the reachability tree of an LPTA for optimization has the 
advantage, that the search is not performed on a model in which the transition 
structure is encoded by a large set of algebraic constraints and auxiliary vari- 
ables - as is the case for the MILP. In order to combine the advantages of tree 
search for LPTA with the relaxation idea used in MILP, we have proposed in 
the second part a scheme consisting of the following steps: (a) sequentially con- 
structing a search tree for LPTA considering reachability criteria, (b) generating 
a corresponding MILP program with relaxed integer variables, (c) computing 
a lower bound for the cost-to-go by solving a linear program, and (d) cutting 
branches in the search tree if the accumulated costs or the lower bound exceed 
the best solution found before. 

While this paper describes the algorithm and sketches the principle for a sim- 
plistic example, it is a matter of current research to test the proposal for a set of 
real-world scheduling problems, in order to determine in which cases the method 
has benefits. This work includes to develop an efficient implementation of the 
steps involved. Furthermore, we investigate how alternative concepts used in 
mixed-integer programming (as, e.g., specialized cutting rules) can be embed- 
ded in the procedure. 
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Abstract. This paper presents a model-checking approach for analy- 
zing discrete-time Markov reward models. For this purpose, the temporal 
logic probabilistic CTL is extended with reward constraints. This allows 
to formulate complex measures - involving expected as well as accumu- 
lated rewards - in a precise and succinct way. Algorithms to efficiently 
analyze such formulae are introduced. The approach is illustrated by 
model-checking a probabilistic cost model of the IPv4 zeroconf protocol 
for distributed address assignment in ad-hoc networks. 



1 Introduction 

Modelling techniques such as queueing networks and probabilistic variants of 
Petri nets, automata networks and process algebra are convenient means to de- 
scribe performance and dependability models. Based on a high-level specification 
of the system under investigation, the underlying model - albeit a continuous 
time or a discrete time Markov chain (CTMC or DTMC) - is automatically 
obtained and can be analyzed with well-studied means to obtain transient and 
stationary measures. Most of these techniques have been extended to CTMCs 
(or DTMCs) augmented with costs, or dually bonuses (rewards); approaches 
using stochastic reward nets [7], reward-based variants of process algebra [4] 
extensions of automata [15], logic-based approaches [8] and so on, have been 
proposed. These formalisms provide adequate means to specify performance and 
dependability models. 

It is fair to say that the specification of performance or dependability mea- 
sures in a high-level manner has received far less attention. In recent works, we 
have proposed to use appropriate extensions of temporal logic - as typically used 
to reason about the functional correctness of systems - for specifying constraints 
over such measures [2, 3]. This technique allows to specify standard (e.g., tran- 
sient and stationary) and complex measures in a precise, unambiguous and lucid 
manner. Even more importantly, this specification technique is complemented 
by powerful means to automatically check constraints on measures over finite 
Markovian models using a light-weight extension of model checking [9]. This 
hides specialized algorithms from the performance engineer, supports automated 
measure-driven model adaptation, and allows for the checking of quantitative as 
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well as functional properties (such as absence of deadlocks) in a single integrated 
framework. 

The model-checking algorithms for CTMCs rely on well-developed standard 
numerical algorithms. Therefore even the more intricated measures - beyond 
standard stationary and transient measures - can be checked rather efficiently. 
Further work in this area has focussed on CTMCs decorated with rewards. We 
have introduced a logic to specify measures over such so-called continuous-time 
Markov reward models (CMRMs) [2, 12]. The logic allows one to express a rich 
spectrum of measures. For instance, when rewards are interpreted as costs, this 
logic can express a constraint on the probability that, given a start state, a 
certain goal can be reached within t time units while deliberately avoiding to 
visit certain intermediate states, and with a total cost (i.e., accumulated reward) 
below a given threshold. Such path-based measures are, however, computation- 
ally expensive as they are based on determining transient reward distributions, 
a measure that has not been widely addressed in the literature and for which 
the rarely available algorithms are highly time- and/or space-consuming [12]. 

In this paper, we aim to avoid this inefficiency by considering discrete-time 
Markov chains instead, decorated with (possibly multiple) state rewards. This 
paper introduces a logic and model-checking algorithms for discrete time Markov 
reward models (DMRMs). In particular, we extend probabilistic CTL [11] with 
operators to reason about long-run average, and more importantly, by operators 
that allow to specify constraints on (i) the expected reward rate at a time in- 
stant, (ii) the long-run expected reward rate per time unit, (iii) the cumulated 
reward rate at a time instant - all for a specified set of states - and (iv) the 
cumulated reward over a time interval. The proposed logic allows to specify non- 
trivial, though interesting, constraints such as “the probability to reach one of 
the goal states (via indicated allowed states) within n steps while having earned 
an accumulated reward that does not exceed r is larger than 0.92”. We present 
model-checking algorithms that verify such properties in an efficient manner, and 
show how these can be extended to multiple rewards in a straightforward way. 
The approach is illustrated by checking some properties of the IPv4 zeroconf 
protocol for distributed address assignment in ad-hoc networks. 

2 Discrete-Time Markov Reward Models 

This section presents the basic concepts of discrete-time Markov reward models 
that are needed for the rest of the paper. For more details we refer to [14]. 



DMRMs. In order to enable the logical specification of measures-of-interest 
over performability models we consider a slight extension of traditional Markov 
models where states are equipped with elementary properties, the so-called 
atomic propositions. Let AP be a fixed, finite set of atomic propositions. 

Definition 1. A (labelled) DTMCT> is a tuple (S', P,L) where S is a finite set 
o/ states, P : S X S — > [0,1] is a probability matrix such that ^ 
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{0,1} for all s G S, and L : S ^ 2^^ is a labelling function that assigns to 
each state s € S the set L{s) of atomic propositions that are valid in s. 

Definition 2. A discrete-time reward model (DMRM) M is a pair (D,p) with 
DTMC T> = (5', P,A) and p : S IR^o a reward assignment function that 
associates a real reward (or: cost) to any state in S. Real number p{s) denotes 
the reward earned on leaving state sf 



Paths. Let Ad be a DMRM with underlying DTMC V = {S, P, L) and reward 
function p. An infinite path ct is a sequence sq — *■ si — > S2 — > . . . where Si G S 
and P(si, Si+i) > 0 for i ^ 0. For i S IN let (j[i] = Si, the state occupied after i 
transitions. A finite path a with length n is a sequence sq — > . . . ^ s™ with Si G S 
and P(si, Si+i) > 0 for 0 ^ i < n. Path(s) denotes the set of (finite and infinite) 
paths starting in s. Let Prg denote the unique probability measure on sets of 
paths that start in state s [3]. The cumulative reward along finite path cr with 
length n is defined as p{a) = Note that rewards are considered on 

leaving a state, i.e., p(s„) is not considered in the cumulative reward of cr. 

Example 1. Consider the DMRM M depicted below with S = { si, S2, S3, S4 }, 
L{si) = L{s 2 ) = {a}, L{s^) = {6} and L{sa) = {a, c|, reward structure p 
defined by p{si) = 2,p(s2) = 3,p(s3) = 0,p(s4) = 2, and the probability matrix 
defined by: 



0.2 0.5 0.3 0 
0 0 0.1 0.9 
0.4 0.3 0.3 0 
0 0.6 0 0.4 

An example finite path is tr = si S2 S3 S2 S4; we have ct[ 0 ] = si and ct[ 3 ] = S2, and 
the cumulative reward p{a) equals 8. The probability of ct, Prsj(cr) = 

Transient and Limiting Behavior. Transient analysis studies the system at 
a certain time instant n. Let 7r(s, s', n) denote the probability that the system is 
in state s' after n steps given that the system started in state s. These transition 
probabilities can be calculated using the Chapman-Kolmogorov equations: 

7t(s, s', n) = ^ 7t(s, t, i) ■ 7r(t, s', n—i) for 0 ^ i ^ n, (1) 

where 7t(s, s', 0) = 0 if s' yf s and 7r(s, s, 0) = 1. When n tends to infinity, one con- 
siders the limiting (i.e., long-run) behaviour of DTMCs. The limiting behaviour 
of a DTMC strongly depends on the structure of the considered chain, more 

^ Here we consider rewards to be constant, but there do exist variants in which rewards 
are random variables. 
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specifically, on the capacity of states reaching each other within finitely many 
steps. It is well known that in case of an irreducible finite aperiodic DTMC 
the limit lim„.^oo 7 t(s, s', n) exists and precisely characterises the limiting prob- 
abilities 7t(s, s'), also called steady-state probabilities, of the DTMC [13]. If the 
considered DTMC is irreducible and periodic then this limit does not exist. In 
that case, one considers the long-run fraction of time that the system spends in 
state s' when starting in state s: 



The probabilities 7t(s, s') can (in both cases) be characterised as the unique 
solution of the following system of linear equations: 



For irreducible aperiodic DTMCs, 7r(s, s') coincides with lim„.^oo 7J"(s, s', n), see 
e.g., [14]. Although the initial state does not have any influence on the value of 
7t(s, s'), we keep this notation because in the case of reducible DTMCs the initial 
state has influence on the limiting behaviour. Let 7t(s, S') denote 
for S' C S. 

Reward Measures. For DMRMs the following reward measures are considered, 
see also [18]. Assume that the system starts in state s. 

— The expected reward rate per time-unit up to time instant n, denoted g{s, n), 
and its limiting counterpart, the long-run expected reward rate per time-unit, 
denoted g{s). They are defined as follows: 



where (the random variable) as ranges over Path(s). 

— The instantaneous reward at time instant n: p{s, s', n) = 7r(s, s', n)- p{s'). For 
S' QS let p(s. S', n) = J^s'gS' p{s, s', n), i.e., p{s, S' , n) is the instantaneous 
reward at time instant n in the set S' . 

— The expected accumulated reward until the n-th transition is defined as 

follows: y{s, n) = *)■ According to the definition of path reward, 

the sum goes up to n—l, i.e., the reward of the last state of the path is 
ignored. An alternative characterisation of this reward measure is: t/(s, n) = 
X)drGPath(s s' ra) P(®’) ■ P''s(®')! where Path{s, s' ,n) denotes the set of finite 
paths of length n that start in s and end in s'. 






and g{s) = lim g{s, n) 



Multiple Rewards. If various measures-of-interest are to be determined for 
a Markov model, typically several different reward structures are imposed, see 
e.g., [18, Section II]. For k > 0 reward structures, a DMRM is a (fc-l-l)-tuple 
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(T>, pi, . . . , pk) with T> a DTMC and pj a reward assignment function, for 0 < 
j ^ k. The reward measures defined above can now be all considered for each of 
the different reward assignments pj in a fairly straightforward manner. Let Pj{fj) 
be the accumulated j-th reward along finite path cr, i.e., for tr = sq ^ s„ 

we have Pj{cr) = The instantaneous j-th reward at time instant n 

is defined by: pj{s,s',n) = 7r(s,s',n) • Pj{s'). The other reward measures are 
generalised in a similar manner. 



3 Probabilistic Reward CTL 

This section introduces the logic Probabilistic Reward CTL (PRCTL) that is 
aimed at the specification of performability measures over discrete-time Markov 
reward models. To simplify the presentation we first recall Probabilistic CTL 
(PCTL) by Hansson and Jonsson [11], and extend it by a long-run average 
operator. 



PCTL with Long-Run Average. Let a e AP, p G [0, 1], n be a natural (or 
oo) and binary comparison operator < g{^,<,^,>}. The syntax of PCTL 
is: 



^ ::= tt 



a 



^ A ^ 



-n<p 









The other boolean connectives are derived in the usual way. For the sake of 
simplicity, we do not consider the next state operator in this paper. The standard 
(i.e. unbounded) until formula is obtained by taking n equal to oo, i.e., (PUW = 
<PU^°° W. Temporal operators like O, □ and their timed variants or can 
be derived, e.g., <P) and P^p(D^) = P^i_p(0^^). 

Let Sat(^) = {s|s|=^}be the set of states that satisfy The semantics of 
PCTL is defined by [11]: 

s]=tt forallsGS' s j= ^ A iffs|=^As]='F 

s ]= a iff a G L(s) s f= £^p(^) iff 7t(s, Sat(^)) < p 

sl=^<P iff s^<P sl= W) iff Proh{s, <p 

'P<p{<PU^^ S') asserts that the probability measure of the paths that start in s 
and that satisfy <PU^^ 'P meets the bound <p. The state formula £<p(^) asserts 
that the long-run average fraction of time for the set of ^-states meets the 
bound Here, Prob{s, P) = Pr^j cr G Path{s) \ a \= P }. Formula 

asserts that P will be satisfied within n steps and that all preceding 
states satisfy i.e.: 



cr ]= W iff 3j ^ n. {a[j] \= P AVi < j. a[i] \= <P) 



Some example properties that can be expressed in PCTL for our running ex- 
ample are 'P^o. 3 {Ob) (a 6-state can be reached with probability at least 0.3), 
'P^Q. 3 {aU^^ b) (a 6-state can be reached with probability at least 0.3 by at most 
3 hops along a-states), and £^o. 5 («) (the long-run average fraction of time spent 
in a-states is at most 0.5). 
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Syntax of PRCTL. We now extend the logic PCTL with ample means to 
specify properties that do not only address probabilistic aspects but in addition 
allow to specify constraints over reward measures. Some of the new operators are 
inspired by Baier et al. [3] who introduced a performability logic for continuous- 
time Markov reward models (with state rewards). 

Let J C IR^o be an interval on the real line, n a natural number, p C [0, 1] 
and iVCINU{oo}an interval of natural numbers (or infinity) . The syntax of 
PRCTL is defined by the following syntax clauses: 



::= tt 



£y{<P) 



<P A<P 






V<p{<P <?) 






The intuitive interpretation of these operators is as follows. Formula f j(^) as- 
serts that the expected reward rate in ^-states up to n transitions - reached 
at the n-th epoch ~ lies within the interval J. Formula expresses that 

the long-run expected reward rate per time-unit for ^-states meets the bounds 
of J. The formula asserts that the instantaneous reward in ^-states at 

the n-th epoch meets the bounds of J. Formula (^) asserts that the expected 
accumulated reward in ^-states until the n-th transition meets the bounds of J. 



Semantics of PRCTL. The semantics of the state-formulas of PRCTL that 
are common with PCTL is identical to the semantics for PCTL as presented 
above. The semantics of the new operators is defined by: 



s 1= £j{^) iff 5(s, Sat{<P),n) £ J s |= Cj{^) iff p{s, Sat{<P), n) G J 
s h £j{^) iff 5(s, Sat{^)) e J s h iff y{s, Sat(<P),n) e J 

where we have that for S' C S: 



g{s,S',n) 



1 

n -I- 1 



E 



n 

i—0,(Ts 






and g{s, S') 



lim g(s,S',n). 

n-^oo 



Note that g{s,n) as defined earlier coincides with g{s,S,n). Stated in words, 
g{s,S',n) denotes the expected reward rate up to the n-th epoch given that 
we are only interested in states belonging to the set S' . The expected accumu- 
lated reward for states in S' until the n-th transition is defined by: y{s, S', n) = 
p(s. S' , i). Note that y{s, n) as defined earlier coincides with y{s, S, n). 

Formula ^ ^ asserts that will be satisfied within j G N steps, that all 

preceding states satisfy <P, and that the accumulated reward until reaching the 
>F-state lies in the interval J. Formally: 

iff 3j G N. (a[j] \=<I' AVi <j. a[i] \= <P A pW[i\) G j) 



Example 2. Some example properties that can be expressed in PRCTL for our 
running example are, V^o. 3 {aU^^ b) (a 6 -state can be reached with probability 
at least 0.3 by at most 3 hops along a-states accumulating costs of more than 
23), and 3 ^( 35 ] (a) (the accumulated costs expected within 3 hops is at least 3 
and at most 5). 
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Multiple Rewards. The logic PRCTL can easily be enhanced such that prop- 
erties over models equipped with multiple reward structures can be treated. 
Suppose A4 = {V, pi, . . . , pk) is a DMRM with fc > 0 reward structures, and let 
0 < j ^ k. The reward operators of PRCTL can be generalised in a straightfor- 
ward manner such that constraints on all k reward structures can be expressed in 
a single formula. For instance, the formula £j^ (<P) expresses that the long- 

run expected reward rate per time-unit for ^-states meets the bounds of Ji for 
reward structure pi, . . ., the bounds of Jk for reward structure pk- Its semantics 
is defined by: (^) if and only if gj{s, Sat{<P)) G Jj for all 0 < j ^ k. 

The other operators can be generalised in a similar manner. 

If extending to multiple rewards, it is actually possible to encode the time 
constraint N (in into a reward constraint over a simple auxiliary reward 
structure. 

4 Model-Checking Algorithms 

Given a state s of DMRM A4 and a PRCTL-formula <P, the question to be ad- 
dressed is how to check whether or not <l> holds for state s, i.e., whether s \= (!> 
or s ^ <P. The basic procedure is the same as for model-checking CTL [9]: 
the set Sat{<P) of all states satisfying <P is computed recursively and we have 
that s ^ if and only if s G Sat(^). The recursive computation basically 
boils down to a bottom-up traversal of the parse tree of the formula <P. For the 
propositional fragment of PRCTL this goes along the lines of CTL. For deter- 
mining Sat(£<p(^)) we use the method of [3]. Model-checking time-bounded 
until-formulae is based on the path graph generation. 

Path Graph Generation. The basic concept of the algorithm is to compute 
the “unfolding” of the DMRM under consideration while keeping track of the 
accumulated reward so far. Nodes in the tree that have the same accumulated 
rewards are grouped together in a single vertex. The resulting directed acyclic 
graph {V,E,vo) with finite (non-empty) set of vertices V, set of edges E and a 
distinguished initial vertex vq, is called path graph. We have V C x V{S x 
(0,1]). The initial vertex vq equals (0, { (sq: 1) }) where sq is the state of the 
DMRM to be investigated, 0 is the accumulated reward so far, and 1 denotes 
that the probability to be in state sq equals one (when starting in sq). In general, 
vertex v = (fc, Sk) with Sk = { (si,pi), . . . , {sm,,Pm) } denotes that starting from 
state So each state s^ (0 < i ^ m) can be reached with probability > 0 
(possibly via more than one path) while having earned a cumulative reward k. 
A path graph is basically an unfolding of the DMRM - while keeping track of 
the accumulated reward - and thus may be infinite. Since we are interested in 
paths of a certain length, viz. n, we “cut off” the unfolding at depth n. Formally, 
we consider the sets Vq, . . . , 14., where Vi ^ V is the set of all vertices (of the 
above form) that can be reached in exactly i steps. Thus, for v = (fc, Sk) G 14 
with Sk = { (si,pi), . . . , {sm,Pm) } we have that J^iPi equals the probability to 
gain k reward in n transitions when starting in state sq. Figure 1 presents the 
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1. Vb;={0}; // only nodes with cnmnlative reward zero 

2. So ;= { (sq, 1) }; // state so can be reached with probability one 

3. for {i ;= 0; i < n; i-|— b) // i is current level number 

4. f oreach m £ Vi // check all rewards at level i 

5. f oreach (s,p) G Sm 

6. m' ■.= m + p{s)\ / / new cumulative reward 

7. foreach s' with P(s, s') >0 // all direct successors of s 

8. if m' ^ Vi+i / / encountering fresh reward m' 

9. then Vi+i := Vi+i U { m' }; // add new vertex 

10. 5^/ := { (s',p-P(s,s') }; 

11. elseif {s',p') G Sm' // shared node encountered? 

12. then p' := p' -b p.P(s, s'); 

13. else 5"^/ ■■= Sm' U { (s',p-P(s, s') }; 

14. endif; 

15. endforeach; 

16. endforeach; 

17. endforeach; 

18. endfor; 



Fig. 1. Path graph generation algorithm 



pseudo-code of a variation of the path graph generation algorithm [16]. For the 
sake of simplicity, we let Vi he a set of naturals such that if m G Vi then there 
is a vertex v = (m, Sm) & Vi. 

Example 3. The path graph for our running example DMRM for three steps 
(n = 3), starting from state si is: 





Time-Bounded Transient Rewards: Fix-Point Characterization. Veri- 
fication algorithms for until- formulae (in CTL and PCTL) are inspired by a fix- 
point characterization [9, 11]. Checking the bounded until-operator in PRCTL 
amounts to computing the least solution of the following set of equations: 
Prob{s, $ E) equals 1 if s G Sat{'E) and 0 G iV and 0 G J, 

Prob{s, <PU^E) = P(s, s')-Prob{s', W) 



( 4 ) 
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if s e Sat{<P), supA^ > 0, and p{s) ^ sup J > 0, and equals 0 otherwise. Here, 
N Q n = { m—n \ m G N,m ^ n} and J 0 r = { j—r \ j&J,j^r} for some 
r S M. Stated in words, the probability to reach a <Z'-state from s in n S iV steps 
by earning a reward r G J equals the probability to move to a direct successor s' 
of s multiplied by the probability to reach a 'f'-state from s' in 0 1 transitions 
by earning J 0 p{s) reward. Model-checking the until-operator in PRCTL thus 
amounts to determining the least solution of this set of linear equations. 



Time-Bounded Transient Rewards: Algorithm. The algorithm to check 
time- and (possibly) reward-bounded imtil-formulas is based on the path graph 
generation algorithm presented above. We discuss our algorithm for the case 
that A is a singleton set, say N = {n}, and later discuss how this can be 
adapted to arbitrary sets. Suppose we have to check whether sg h 
assuming sg \= In order to do so, the following adaptations are made to the 
algorithm of Figure 1: 



1. Fo -{0}; 

2. So :={(so,l)}; 

3. for {i ~ 0;i < n; i-|-+) 



4. 

5. 

6 . 

7. 

8 . 

9. 

10 . 

11 . 

12 . 

13. 

14. 

15. 

16. 

17. 

18. 

19. 

20 . 

21 . 

22. endfor; 

23. pr 0; 



/ / only nodes with cumulative reward zero 
// state So can be reached with probability one 

/ / check all rewards at level i 



foreach m G Vi 

foreach (s,p) G Sm 

if (m + p{s) ^ sup J) // reward bound not exceeded? 

then m' m + p{s); / / new cumulative reward 

foreach s' with P(s, s') >0 // all direct successors of s 

if (i < n— 1 A s' € Sat{<P)) V (i = n— 1 A s' € 

if m' ^ Vi+i / / encountering fresh reward m' 

then Vi+i := Vi+i U { m' }; // add new vertex 

S^, :={(s',p-P(s.s')}; 

elseif {s',p') G Sm' // shared node encountered? 

then p' ~ p' -I- p-P(s, s'); 
else S^/ ~ Sm' U {(s',p-P(s,s')}; 
endif ; 
endif ; 
endf oreach; 
endif; 
endf oreach; 
endf oreach; 



24. foreach m £ {Vn H J) 

25. foreach (s,p) G Sm pr ~ pr + p; endforeach; 

26. endforeach; 

27. return pr < q. 



Fig. 2. Checking whether so 1= V<q{$hC] '!') 
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— in selecting the successor states of s (line 8 in Figure 1) we only consider 
i^-states if i < n—1 and only iF-states if i = n—1 (i.e., in the last step); this 
guarantees that all paths considered satisfy <PW^ W and all other paths are 
ignored; 

— it is checked whether the reward bound sup J is exceeded (line 6); 

— in order to decide whether sq h '^) check (after finishing the 

outermost iteration) whether the total probability to end up in states with 
an accumulated reward in J meets the bound <q, i.e., whether 

S(s,p)GSmAmG(y„nJ)T - 9: 

This requires an iteration over all vertices in fl J. 

The resulting algorithm is presented in Figure 2. Note that the original path 
graph generation algorithm by Qureshi and Sanders [16] is obtained by checking 
the PRCTL formula 

The following optimization can be made. For checking properties with lower- 
bounds on the required probabilities (i.e., ^ G { ^ > }), the computation can be 
terminated as soon as the total probability of all vertices at level i (with i < n) 
is less than q (or at most q, respectively). In that case, it is certain that the 
PRCTL-formula is refuted - as the total probability will not further increase by 
going from level i to i+1. 

Example 4- Consider the formula 3(0^5 10] c) for state si. Stated in words, 
we want to check whether the probability to reach a c-state via an a-path (a path 
only consisting of a-states) in exactly 4 steps while earning a reward between 6 
and 10 exceeds 0.3. Note that the path graph for n = 4 is the extension of the 
path graph of the previous example with the level V4. The pruned path graph 
that is obtained after running our adapted path graph generation algorithm is: 




As the sum of the probabilities in the vertices of (0.234-1-0.162) exceeds 0.3 
we conclude that si \= T^^o. 3(0^6 10] c). 



Time Intervals. The next question is how we can adapt the algorithm if the 
number of transitions is not fixed (like n above) but an interval, i.e., N = [n,n'] 
with 0 ^ n ^ n'. Obviously, in the worst case we have to generate all levels of 
the path graph from 0 to n'. Since the above algorithm does not keep track of 
probabilities achieved in earlier levels (but only in the last two levels), a new 
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variable is introduced to accumulate these probabilities from level n to n' . Fur- 
thermore, we cut-off all transitions emanating from a node for which the formula 
under consideration becomes true. Thus, if during model-checking V^p{(Phlj <F) 
we encounter that 'I' is valid for a generated path from sq to s, no further 
investigation of the sub-tree starting in s is done as all such paths have the 
path So, ... ,s as prefix. 



Unbounded Time Case. For model checking an until- formula with an un- 
bounded time (or reward) interval, the algorithm in Fig. 2 is not always ter- 
minating. To solve this problem we do the following. If the DMRM contains 
a strongly connected component (SCC) B with only <P-states having reward 0, 
we transform (as a preprocessing step) the DMRM into an equivalent DMRM 
that does not have such SCCs. This basically amounts to compute Prob{s, O^B) 
for each possible entrance state s of B. This amounts to solving a system of linear 
equations [14]. 



Multiple Rewards. The previous algorithm can easily be extended in order to 
deal with DMRMs with more than one reward structure. Suppose we have k re- 
ward structures and we are about to check whether sq |= ^)- 

In this case, vertices in the path graph are tuples {h, . . . ,lk, Si) with Si = 
{ (si,pi), . . . {srmPm)} &s before that are to be interpreted as follows: start- 
ing from state sq each state (0 < * ^ m) can be reached with probability pi 
while having earned reward Ij according to reward structure pj (0 < j ^ fc). The 
algorithm is now obtained by interpreting m and m' as fc-dimensional vectors 
and interpreting the statement in which these variables occur accordingly. For in- 
stance, m + p{s) ^ sup J should now be read as VO < j ^ k. rrij + Pj{s) ^ sup Jj. 
Note that the time complexity of the algorithm is increased by a factor k. 



Reward Measures. The reward-operators C, £, and y are verified as follows. 
In order to decide whether s S Sat(Cj(^)) we first determine the set Sat{<P), i.e., 
the states that fulfill <P, and then sum the instantaneous rewards in these states 
at epoch n (when starting in s) - which boils down to a transient analysis of 
the underlying DTMC - and check whether this sum lies in J. To check whether 
s S Sat(£j(^)), recursively Sat{<l>) is computed. A slight generalisation of [14, 
Theorem 3.23] now yields that 

s G Sat{£j{<P)) if and only if X^s/gSat( 4 -) ^ 

This thus boils down to solving a system of linear equations. For £j(<P)) we have: 

s G Sat{£j{^)) if and only if X]ygSat(<f) ^ 

where 7r*(s,s',n) = X^r=o Finally, checking the 3^-operator 
amounts to solving a system of linear equations (again). The quantity 
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y{s, Sat{<P),n) is characterized as the smallest solution of the following system 
of linear equations: 

f 0 if n = 0 

= < p(s) -I- y'„,poP(s,s')-if(s',n— 1) if s S Sat(^) A n>0 
I Es'es P(s> s')-E{s', n-1) if s i Sat{^) A n > 0 

Complexity Analysis. If real numbers are permitted as rewards, the time 
complexity of the algorithm (cf. Fig. 2) is exponential in | S' | due to the fact that 
all paths (of some length) may have distinct accumulated rewards. If, however, 
we restrict to naturals or rationals - which mostly suffices - as rewards, checking 
a time- and reward-bounded until-formula has a time complexity in 0{n- sup J • 
|S|3). 

5 Case Study: The IPv4 Zeroconf Protocol 

As a case study, we consider the IPv4 zeroconf protocol, a simple protocol pro- 
posed by the IETF [6] , aimed at the self-configuration of IP network interfaces 
in ad-hoc networks. The probababilistic behaviour of this protocol modeled as 
an DMRM is adopted from [5]. 



The IPv4 Zeroconf Protocol. The IPv4 zeroconf protocol is designed for 
a home local network of appliances (microwave oven, laptop, VCR, DVD-player 
etc.) each of which supplied with a network interface to enable mutual com- 
munication. Such ad-hoc networks must be hot-pluggable and self-configuring. 
Among others, this means that when a new appliance (interface) is connected 
to the network, it must be configured with a unique IP address automatically. 
The zeroconf protocol solves this task in the following way. A host that needs 
to be configured randomly selects an IP address, U say, out of the 65024 avail- 
able addresses and broadcasts a message (called probe) saying “Who is using 
the address [/?”. If the probe is received by a host that is already using the 
address U, it replies by a message indicating that U is in use. After receiving 
this message the host to be configured will re-start: it randomly selects a new 
address, broadcasts a probe, etc. 

Due to message loss or a busy host, a probe or a reply message may not 
arrive at some (or all) other hosts. In order to increase the reliability of the 
protocol, a host is required to send n probes, each followed by a listening period 
of r time units. Therefore, the host can start using the selected IP address only 
after n probes have been sent and no reply has been received during n-r time 
units. Note that after running the protocol a host may still end up using an IP 
address already in use by another host, e.g., because all probes were lost. This 
situation, called address collision, is highly undesirable since it may force a host 
to kill active TCP/IP connections. 
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Fig. 3. DMRM model of the IPv4 zeroconf protocol (for n=4 probes) 



Modeling the Protocol. The protocol behaviour of a single host is modeled 
by a DTMC that is adapted from [5]. The DTMC consists of n+5 states (cf. 
Figure 3 for n = 4) where n is the maximal number of probes needed (as above). 
The initial state is sq (labeled start). In state s „+4 (labeled ok) the host finally 
ends up with an unused IP address; in state Sn +2 (labeled error) it ends up with 
an address that is already in use, i.e., an address collision. State Si (0 < f < n) 
is reached after issuing the f-th probe. In state sq the host randomly chooses an 
IP address. With probability q = m/65024, where m is the number of hosts in 
the network when connecting the host to the network, this address is already in 
use. With probability 1—q the host chooses an unused address and ends up in 
state Sra+ 3 . Then it issues n— 1 probes and waits n-r time units before using this 
address. If the chosen IP address is already in use, state si is reached. Now two 
situations are possible. With probability p, no reply is received during r time 
units (as either the probe or its reply has been lost), and a next probe is sent, 
resulting in state S 2 - If, however, a reply has arrived in time, the host returns to 
the initial state and re-starts the protocol. The behaviour in state Si {2 ^ i < n) 
is similar. If in state n, however, no reply has received within r time units after 
sending the n-th probe, an address collision occurs. 

We consider three reward structures for this model: 

— The first reward assignment (denoted p\) represents waiting times and is 
defined by: pi{si) = r for 0 < * ^ n, pi(so) = 0 assuming that the host ran- 
domly selects an address promptly, pi(s„+ 3 ) = n-r, pi{sn+ 2 ) = Piisn+i) = 
0, and pi(s„+i) = E, where E denotes some large number that represents 
the highly undesirable situation of an address collision. 

— The second reward assignment (denoted P 2 ) is used to keep track of the 
number of probes that are sent in total. It is defined by: P 2 {si) = I for 
0 < i ^ n, p 2 {sn+ 3 ) = n and 0 otherwise. 

— Finally, the third reward assignment (denoted ps) is used to keep track of 
the number of failed attempts to acquire an unused address. It is defined by: 
Pa) -So) = 1 and 0 otherwise. 



Properties of Interest. The reward-based operators are subscripted with three 
reward intervals that refer to the three reward structures defined above. Intervals 
equal to [0, 00 ) are represented by a small line; if all reward intervals equal 
[0,oo) then the subscript is omitted. For instance, O_[ 4 _ 3 o]-error asserts that 
the protocol eventually ends up with an address collision (state error) where 
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between 4 and 10 probes have been sent; no constraints are given on the number 
of collisions and the required time. We consider the following properties that are 
of interest for the IPv4 zeroconf protocol and provide their formal specification 
in PRCTL. 

(i) “The probability to end up with an unused address is at least p'” : V^p' (Ook). 
As state ok is one of the BSCCs of the DTMC an alternative formulation 
would be C^pi{ok). (Note that, in general, the formulae V{0<P) and 

are not equivalent.) 

(ii) “The probability to end up with an unused address within time t exceeds p'” : 

'P>p'{O[ 0 ,t ] — ok) 

(iii) “The probability to end up with an unused address after at most k probes 
exceeds p'” : 

'P>p'{^-[o,k]- ok) 

(iv) “The probability to end up with an unused address within time t while 
having sent at most k probes exceeds p'” : 

'P>p'( 0 [o_t][o,fc]_ ok) 

(v) “The probability to select more than k times a used address during the 
execution of the protocol is at most p'” : 

V^p'{0 — [fc+i,oo) start) 

Here we use the fact that on selecting a used address the host returns to the 
start state. As the host also starts the protocol in that state, the lowerbound 
of the reward bound equals k+1 (rather than k). 

Note that the first property does not refer to any reward and is in fact PCTL- 
formula that can be verified using any model checker for this logic. 



Verification Results. We use the following settings for the parameters: n = 7, 
m = 10 ^, p = 10 “^, and only present results concerning the two formulas (ii) 
and (iv), both requiring the application of the main algorithm (Figure 2). On 
the top of Figure 4 different plots are shown for varying values of the bound t in 

formula (ii), T’>p'(0[o.t] ok). We display the border probability p' where the 

truth value of the formula turns from false to true. These boundary probabilities 
are very close to 1. Therefore we use a semi-logarithmic scale, and plot 1 — p' 
instead of p'. The value 1 — p' corresponds to the probability of not obtaining 
an unused address in time. As expected, increasing the waiting time r decreases 
the likelihood to obtain an unused address in time; but small changes to r may 
not induce a change of the likelihood. This phenomenon has to do with the 
fact that the state prior to the ofc-state (57 in Figure 3) has a reward n-r. 
For a fixed upper bound on the reward (here time t), a small increase of r 
does not necessarily induce less opportunities (i.e. paths) to reach the ofc-state. 
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Fig. 4. Boundary probabilities for formula (ii) (left) and (iv) (right) 



explaining the displayed discontinuities. We further note that increasing the time 
bound t also decreases the probability for a successful address assignment. On 
the bottom of Figure 4 we depict the corresponding border probabilities for 
formula (iv), ’P>p' (0 [q ok), with the same variations on t, while fc = 15 

remains constant. We observe that the shape of the displayed plots is similar to 
the corresponding ones for formula (ii), but the computed probabilities p' are 
lower by several orders of magnitude. This is a result of the constraining effect of 
the second reward interval [0, k], which induces that far less paths to the ofc-state 
satisfy all constraints. 

6 Related Work 

A temporal logic with accompanying efficient model-checking algorithms for 
CTMCs has been introduced by Baier et al. [3] and was later extended to reward 
models [2, 12]. Another notable approach to continuous time reward analysis is 
based on path automata [15]. Basic analysis algorithms for continuous reward 
models are discussed in [16] which served also as a basis for our discrete time 
model checking algorithms. 

In the discrete time context, we are aware of the work of Voeten [20], who 
describes a rich assembly language for discrete reward measures. Instead of 
state-space based analysis algorithms, discrete event simulation is proposed to 
compute these measures. De Alfaro [10] also describes analysis algoritms for 
DMRM-like models, focussing on long-run average behaviours rather than on 
finite-horizon properties such as bounded until while allowing for nondetermin- 
ism. DMRM models have recently become somewhat en vogue as models for 
power-aware systems. Sokolsky et al. [19] have proposed a process algebra to 
specify power-aware systems as discrete time Markov models with nondetermin- 
ism, and have proposed model checking a /r-calculus-like logic for their analysis. 

7 Conclusion 

This paper developed logics and algorithms for model checking discrete time 
Markov reward models, providing means to formulate and efficiently check com- 
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plex measures constraints - involving expected as well as accumulated rewards. 
We illustrated the approach by model-checking a probabilistic cost model of the 
IPv4 zeroconf protocol developed for ad-hoc network address assignement. 

Based on the work presented here, we are further investigating efficient algo- 
rithms for continuous time reward model checking. 
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Abstract. Probabilistic timed automata, a variant of timed automata 
extended with discrete probability distributions, is a specification for- 
malism suitable for describing both nondeterministic and probabilistic 
aspects of real-time systems, and is amenable to model checking against 
probabilistic timed temporal logic properties. In the case of classical 
(non-probabilistic) timed automata, it has been shown that for a large 
class of real-time verification problems correctness can be established 
using an integer-time model, indncing a notion of digital clocks, as op- 
posed to the standard dense model of time. Based on these results, we 
address the question of under what conditions digital clocks are sufficient 
for the performance analysis of probabilistic timed automata. We extend 
previous results concerning the integer-time semantics of an important 
subclass of probabilistic timed automata to consider the computation of 
expected costs or rewards. We illustrate this approach through the anal- 
ysis of the dynamic configuration protocol for IPv4 link-local addresses. 



1 Introduction 

Network protocols increasingly often rely on the use of randomness and timing 
delays, for example exponential back-off in Ethernet and IEEE 802.11, and IEEE 
1394 FireWire root contention. Since these protocols execute in a distributed 
environment, it is important to also consider nondeterminism when modelling 
their behaviour. For example, we may wish to model a system for which the 
likelihood of a certain event occurring changes with respect to the amount of time 
elapsed. A natural model for systems that exhibit nondeterminism, probability 
and real-time, called probabilistic timed automata ~ a probabilistic extension 
of timed automata [1] ~ has been proposed in [19]. In the probabilistic timed 
automata model real-valued clocks measure the passage of time and transitions 
can be probabilistic, that is, be expressed as a discrete probability distribution 
on the set of target states. In [19] model checking algorithms for verifying the 

* Supported in part by the EPSRC grants GR/N22960 and GR/S11107. 
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likelihood of certain temporal properties being satisfied by such system models 
are introduced. However, these model checking algorithms are either based on 
region equivalence [1], and hence suffer from the state-space explosion problem, 
or on forwards reachability, which leads to approximate results [19, 11]. An 
alternative approach, based on backwards reachability, is given in [20]. 

When modelling real-time systems, there is often a trade-off between the 
expressiveness of the model and the complexity of the associated solution al- 
gorithms. A dense-time model is more expressive than an integer-time model; 
however, it is often the case that an integer-time model is easier to verify, since 
it can lead to a finite-state system and allows one to apply efficient symbolic 
methods developed for untimed systems. We refer to the clocks of an integer- 
time model as digital clocks. Henzinger et al. [15] study the question of which 
real-time properties can be verified by considering system behaviours featuring 
only integer durations. These results are applied to timed automata in [9, 24], 
and it is shown that an approach using digital clocks is applicable to the veri- 
fication of closed, diagonal-free timed automata; intuitively, these are automata 
whose constraints do not compare clocks or use strict comparison operators. 

We have previously shown that probabilistic reachability properties, such 
as ‘with probability 0.05 or less, the system aborts’, of closed, diagonal-free 
probabilistic timed automata can be analysed faithfully using digital clocks [22]. 
The main contribution of this paper is to extend this research by showing that 
digital clocks are also sufficient for verifying expected reachability properties such 
as ‘the expected time until a data packet is delivered is at most 0.05 seconds’, 
or ‘the expected cost of a host choosing an IP address is at most 40’. 

In [12], de Alfaro presents a model-checking algorithm for verifying proba- 
bilistic and expected reachability properties of finite-state models. We imple- 
mented the algorithms of de Alfaro in the probabilistic model checking tool 
PRISM [17, 25], allowing us to automatically verify expected-cost properties of 
interest for integer-time models. 

The paper proceeds by revisiting the definition of probabilistic timed au- 
tomata in the next section. Expected reachability properties for probabilistic 
timed automata are presented in Section 3, and the correctness of the digital 
clock interpretation of probabilistic timed automata with respect to these prop- 
erties is stated. In Section 4, we present a case study, in which PRISM is used 
to analyse the performance of the dynamic configuration protocol for IPv4 link- 
local addresses. Finally, in Section 5, we conclude the paper. 



2 Probabilistic Timed Automata 

Time, Clocks, Zones and Distributions. Let T G {K,N} be the time domain 
of either the non-negative reals or naturals. Let A be a finite set of variables 
called clocks which take values from the time domain T. A point v € is 
referred to as a clock valuation. Let 0 G be the clock valuation which 

assigns 0 to all clocks in X. For any v G and t G T, the clock valuation vQt 
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denotes the time increment of values in v by t. We use v[X := 0] to denote the 
clock valuation obtained from v by resetting all of the clocks in X C fh to 0. 

Let Zones {X) be the set of zones over X, which are conjunctions of atomic 
constraints of the form x ~ c for a; G df, ~ e {<,=,>}, and c G N. The clock 
valuation v satisfies the zone C, written n ^ if and only if C resolves to true 
after substituting each clock x G X with the corresponding clock value from v. 
Readers familiar with timed automata will note that we consider the syntax of 
closed, diagonal-free zones, which do not feature atomic constraints of the form 
X > c or X < c (closed) or x — ?/ ~ c (diagonal free) for x, y G fh, c € N. 

A discrete probability distribution over a countable set Q is a function g, : 
Q — > [0,1] such that = 1- For a possibly uncountable set Q', let 

Dist(Q') be the set of distributions over countable subsets of Qb For q € Q, let 
gLq G Dist(Q) be the distribution which assigns probability 1 to q. 

Syntax of Probabilistic Timed Automata. We review the definition of 
probabilistic timed automata [19]. 

Definition 1. A probabilistic timed automaton is a tuple (L,l, X, S, I , prob) 
where: L is a finite set o/ locations including the initial location 1; X is a set of 
clocks; S is a finite set o/ events; the function I : L ^ Zones(X) is the invariant 
condition; and the finite set prob C L x Zones (X) x X x Dist(2''^ x L) is the 
probabilistic edge relation. 

A state of a probabilistic timed automaton is a pair (l,v) where I G L and 
V G TI-^I are such that v ^ I{1). Informally, the behaviour of a probabilistic 
timed automaton can be understood as follows. The model starts in the state 
{I, 0); that is, in the initial location I with all clocks set to 0. In any state {I, v), 
there is a nondeterministic choice of either (1) making a discrete transition or 
(2) letting time pass. In case (1), a discrete transition can be made according 
to any (l,g,a,p) G prob which is enabled] that is, the zone g is satisfied by the 
current clock valuation v. Then the probability of moving to the location I' and 
resetting all of the clocks in A to 0 is given by p{X, V). In case (2), the option of 
letting time pass is available only if the invariant condition I{1) is satisfied while 
time elapses. Note that we often refer to the model presented above as closed, 
diagonal-free probabilistic timed automata, in order to distinguish the zones used 
with those in previous work [19]. 



Semantics of Probabilistic Timed Automata. The semantics of proba- 
bilistic timed automata is defined in terms of timed probabilistic systems, which 
exhibit timed, nondeterministic and probabilistic behaviour. They are a variant 
of Markov decision processes [14] and Segala’s probabilistic timed automata [26]. 



Definition 2. A timed probabilistic system PS = {S,s, Act, T, Steps) consists 
of a set S of states, an initial state s G S , a set Act of actions, a time domain 
T, and a probabilistic transition relation Steps C S x {Act U T) x Dist(S'). 
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A probabilistic transition s s' is made from a state s G S' by first nondeter- 
ministically selecting an action-distribution or duration-distribution pair (a, p) 
such that (s, a, p) € Steps, and second by making a probabilistic choice of target 
state s' according to the distribution p, such that p{s') > 0. 

We consider two ways in which a timed probabilistic system’s computation 
may be represented. A path represents a particular resolution of both nondeter- 
minism and probability. Formally, a path of a timed probabilistic system is a fi- 
nite or infinite sequence of probabilistic transitions w = sq si > ■ ■ ■ . 

A path to is initialised in s if sq = s. We denote by w(i) the (i-l-l)th state of 
uj, last{jj) the last state of w if w is finite, and step{u>,i) the action associated 
with the i-th step. If io is infinite, the duration up to the (n -I- l)th state of lo is 
defined by V,^{n+\) |0<i<nAaiS T|}. Let Pathfui(s) be the set of 

infinite paths initialised in s. 

The second notion of a timed probabilistic system’s computations is that of 
an adversary, which represents a particular resolution of nondeterminism only. 
Formally, an adversary is a function A mapping every finite path w to a pair 
(a,p) such that {last{ui),a, p) G Steps [28]. For any adversary A, let Pathf,^i{s) 
denote the set of infinite paths initialised in s associated with A. Then, we define 
the probability measure Probf over Pathf^i(s) by classical techniques [16]. 

We restrict our attention to time-divergent adversaries', a common restriction 
imposed in real-time systems so that unrealisable behaviour (corresponding to 
time not advancing beyond a bound) is disregarded during analysis. We say that 
a path uj is divergent if for any t S R, there exists j € N such that PujU) > t. 

Definition 3. An adversary A of a timed probabilistic system PS is divergent 
if and only if for each state s the probability Probf of the divergent paths of 
Path'j^,^i{s) is 1. Furthermore, let Adv ps be the set of divergent adversaries of PS. 

We now define the semantics of probabilistic timed automata defined in terms of 
timed probabilistic systems. Observe that the definition is parameterized both 
by a time domain T and time increment 0, and that the summation in the 
definition of discrete transitions is required for the cases in which multiple clock 
resets result in the same target location. 

Definition 4. Let PTA = {L,l, X , S , I ,prob) be a probabilistic timed automa- 
ton. The semantics of PTA with respect to the time domain T and the time in- 
crement 0 is the timed probabilistic system [PTAJ® = (S,s, E,T, Steps) where: 
S C L X and {I, v) G S if and only i/r’ [= I{1); s = (1, 0); and {{I, v), a, p) G 
Steps if and only if one of the following conditions holds: 

Time transitions, a € T, p = pp^y^a) v G)t ]=/(/) for all 0 < t < a; 
Discrete transitions, a G E and there exists (l,g,a,p) G prob such that v \= g 

and for any {l',v') G S, we have p{l',v') = J2xcx &zv'=v[x-.=o]P(^’^')' 

Traditionally, the semantics of probabilistic timed automata assumes that the 
reals form the underlying model of time, paired with a time increment which is 
standard addition. The continuous semantics of a probabilistic timed automaton 
is a timed probabilistic system with generally uncountably many states. 
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Definition 5. The continuous semantics of a probabilistic timed automaton 
PTA is defined as [[PTAJ^; that is, T = M and 0 = +. 



Higher- Level Modelling. To aid modelling, probabilistic timed automata can 
be composed in parallel [22], and can feature integer variables, urgent locations 
and events, and committed locations (as in UPPAAL timed automata [3]). The 
techniques of [27] can be adapted to represent, syntactically, integer variables 
and committed locations within our definition of probabilistic timed automata; 
urgent events require a minor adjustment to the semantics of probabilistic timed 
automata [21]. 



3 Performance Measures 



In this section, we consider two performance measures for probabilistic timed 
automata. The first is probabilistic reachability, namely the maximal and minimal 
probability of reaching, from the initial state, a certain set of goal or target states. 
For a timed probabilistic system PS = {S,s, Act, T, Steps), set F C S of target 
states, and adversary A G Adv ps, let: 



pt{F) Probfico G Pathf^,{s) | G N . co{t) G F} . 

Definition 6. The maximal and minimal reachability probabilities of reaching 
the set of states F of the timed probabilistic system PS are defined as follows: 



= sup pf(F) and p^t(F) = int pj{F) . 

AeAdvps AeAdvps 



This performance measure has been studied in the context of probabilistic timed 
automata by Kwiatkowska et al. [19, 22]. 

The second measure we consider is expected reachability, which allows us to 
compute the expected cost (or reward) accumulated before reaching a certain 
set of states. Expected reachability is defined with respect to a cost function 
mapping actions and durations to real values, as well as a set F C S' of target 
states, and corresponds to the expected cost (with respect to the given cost 
function) of reaching a state in F. More formally, for a timed probabilistic system 
PS = (S, s. Act, T, Steps), cost function c : Act U T ^ R, set F C S of target 
states, and adversary A G Advps, let ef{cost{c, F)) denote the usual expectation 
with respect to the measure Probf over Path'^i{s), where for any ui G Path'^i{s): 



cost{c, F){io) 



min{j I u:(j)eF} 

X) c{step{u>,i—ll)) if G N. uj{j) G F 

i=l 

oo otherwise. 



The value of cost{c, F){uj) equals the total cost, with respect to the cost func- 
tion c, accumulated until a state in F is reached along the path lu. Note that we 
define the cost of a path which does not reach F to be oo, even though the total 
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cost of the path may not be infinite. Hence, the expected cost of reaching F 
from s is finite if and only if a state in F is reached from s with probability 1. 
Expected time reachability (the expected time with which a given set of states 
can be reached) is a special case of expected reachability, corresponding to the 
case when c(a) = 0 for all a G Act and c{t) = t for all t gT. 

Definition 7. The maximal and minimal expected costs of reaching a set of 
states F under the cost function c in the timed probabilistic system PS are defined 
as follows: 

e^^^{c,F)= sup ef{cost{c,F)) and e[?s™(c, F)= inf ef{cost{c,F)). 

AeAdvps AeAdvps 

We note that calculating expected reachability is equivalent to the stochastic 
shortest path problem for Markov decision processes; see for example [6]. 

At the level of probabilistic timed automata, one can define a cost function 
using a pair (r, cs), where r G K gives the rate at which cost is accumulated as 
time passes, and ci; : A — > K is a function assigning the cost of executing each 
event in S. The associated cost function Cr,cs is defined by Cr^cs{t) = t ■ r for 
all t G T, and Cr^csi^) = Ci;(cr) for all a G S. A probabilistic timed automaton 
equipped with a pair (r, ce) is a probabilistic generalisation of uniformly priced 
timed automata [4]. 

For both probabilistic and expected reachability, we can consider reaching 
a state satisfying a formula which is a conjunction of propositions identifying 
locations and clock constraints of the form x ~ c for x G A, ~G {<,=,>} 
and c G N. Instead of considering these cases separately, we just note that such 
reachability problems can be reduced to those referring to locations only by 
modifying syntactically the probabilistic timed automaton of interest (see [19]). 

For examples of the types of properties of probabilistic timed automata which 
can be expressed using expected reachability, consider the following: ‘the ex- 
pected time until a host can use an IP address is at most 0.05 seconds’, ‘the 
expected number of packets sent before failure is at least 300’ and ‘the expected 
number of lost messages within the first 200 seconds is at most 10’. In the case 
of the third example, we would first need to modify the probabilistic timed au- 
tomaton under study by adding a distinct clock (to represent global time) and 
a location such that, from all locations, once the global clock has reached 200 
seconds, the only transition is to this new location. The set of target states would 
then be the set containing only the new location and the cost function would 
equal 0 on all time transitions and events except those events corresponding to 
a message being lost; the costs for those actions would be set to 1. 

Performance Measures and Digital Clocks. We now show, under the re- 
striction that the probabilistic timed automaton under study is diagonal-free and 
closed, that it suffices just to consider the integer-time semantics when verifying 
expected reachability properties. 

Definition 8. For any x G X , let denote the greatest constant that the 
clock X is compared to in the zones of PTA. Define ©n such that, for any clock 
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valuation v € and time duration t S N, the clock valuation v(Bnt assigns 

the value minjua: + + 1} to all clocks x € X . The integer-time semantics of 

PTA is then defined as IPTA]®*^; that is, T = N and 0 = 0^. 

Let PTA = {L, I, X, S, I, prob) be a (closed, diagonal-free) probabilistic timed 
automaton. For any set of locations L' C L, we denote by the set of all states 
of [[PTAJ® which correspond to these locations; that is Fj = {{l,v) \ I G L' , v € 

Tl-^l A u h ^(01- 

Theorem 1. For any (closed, diagonal-free) probabilistic timed automaton PTA, 
set of locations L' f- L and cost function c : HUM — > M which satisfies c(t + t') = 
c{t) + c{t') for all t, t' G K.' 



max 

Iptai 



+ 

R 



{FFi') 



max 

[PTA]®« 



(0 ) 



and 




min 

IPTA]®" 



(c, F^ ) . 



The proof of the correctness of Theorem 1 can be found in [18]. Note that any 
cost functions defined by a pair (r, cs), where r S R and Cu : if ^ R, will satisfy 
the condition c{t + t') = c(t) 0 c(t') for all t,t' G R. The analogous result for 
probabilistic reachability is proved in [22] and states: 



4 Case Study: Dynamic Configuration 
of Link-Local Addresses in IPv4 

In this section, we illustrate the utility of the integer-time semantics of proba- 
bilistic timed automata with an analysis of the dynamic configuration protocol 
for IPv4 link- local addresses [10]. 

The dynamic configuration protocol for IPv4 addresses offers a distributed 
‘plug-and-play’ solution in which IP address configuration is managed by indi- 
vidual devices connected to a local network. Upon connecting to the network, 
a device, henceforth called a host, first randomly chooses an IP address from 
a pool of 65024 available (the Internet Assigned Number Authority has allo- 
cated the addresses from 169.254.1.0 to 169.254.254.255 for the purpose of such 
link-local networks) . The host waits a random time of between 0 and 2 seconds 
before sending four Address Resolution Protocol (ARP) packets, called probes, to 
all of the other hosts of the network. Probes contain the IP address selected by 
the host, operate as requests to use the address, and are sent at 2 second inter- 
vals. A host which is already using the address will respond with an ARP reply 
packet, asserting its claim to the address, and the original host will restart the 
protocol by reconfiguring its chosen address and sending new probes. If the host 
sends four probes without receiving an ARP reply packet, then it commences to 
use the chosen IP address. The host then sends confirmations of this fact to the 
other hosts of the network by means of two gratuitous ARPs, also at 2 second 
intervals. The protocol has an inherent degree of redundancy, for example with 
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regard to the number of repeated ARP packets sent, in order to cope with mes- 
sage loss. Indeed, message loss makes possible the undesirable situation in which 
two or more hosts use the same IP address simultaneously. 

A host which has commenced using an IP address must reply to ARP packets 
containing the same IP addresses that it receives from other hosts. It continues 
using the address unless it receives any ARP packet other than a probe (for 
example, a gratuitous ARP) containing the IP address that it is using currently. 
In such a case, the host can either defend its IP address, or defer to the host 
which sent the conflicting ARP packet. The host may only defend its address if 
it has not received a previous conflicting ARP packet within the previous ten 
seconds; otherwise it is forced to defer. A defending host replies by the sending 
an ARP packet, thereby indicating that it is using the IP address. A deferring 
host does not send a reply; instead, it ceases using its current IP address, and 
reconfigures its IP address by restarting the protocol. 

As in [29], we assume a ‘broadcast ’-based communication medium with no 
routers (for example, a single wire), in which messages arrive in the order in 
which they are sent. In contrast to the analytic analysis of the protocol of 
Bohnenkamp et al. [8] , we model the possibility that a device could surrender an 
IP address that it is using to another host; and in contrast to timed-automata- 
based analysis of Zhang and Vaandrager [29], we model some important prob- 
abilistic characteristics of the protocol, and consider parameters more faithful 
to the standard (such as the maximum number of times a device can witness 
an ARP packet with the same IP address as that which it wishes to use before 
‘backing off’ and remaining idle for at least one minute). 

In the standard [10], there is no mention of what a host should do with 
messages corresponding to its current IP address (i.e. the probes and gratuitous 
ARP packets specified in the standard) which are in its output buffer (i.e. those 
that have yet to be sent), when it reconfigures (choses a new IP address). How- 
ever, when the host does reconfigure, unless it picks the same IP address, which 
happens with the very small probability 1/65024, these messages are not rel- 
evant. In fact, such messages will slow down the network and may even make 
hosts reconfigure when they do not need to. We therefore considered two dif- 
ferent versions of the protocol: one where the host does not do anything about 
these messages (no_reset) and another where the host clears its buffer (removes 
the messages) when it is about to choose a new IP address (reset). 

4.1 Modelling the Dynamic Configuration Protocol 

Preliminaries. We consider in detail one concrete host, which is attempting to 
configure an IP address for a network in which, as in [8], there are 1000 abstract 
hosts (they are called abstract because we do not study their behaviour in depth) 
which have already configured IP addresses. Therefore, when the concrete host 
picks an address, the probability of this address being fresh (not in use by an 
abstract host) is 64024/65024. We also assume that the concrete host never picks 
the same IP address twice, as this happens only with a very small probability. 

Following the above assumptions, we require only three abstract IP addresses: 
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Table 1. Integer variables used in the probabilistic timed automata 



variable 


description 


range 


coll 


the number of address collisions detected by the concrete host 


0.. 


.10 


iph 


the current address of the concrete host 


1 . 


. .2 


defend 


equals 1 when the host is defending its address (0 otherwise) 


0. 


. . 1 


probes 


the number of probes/ARPs sent by the concrete host 


0. 


.N 


IP 


the address of the ARP packet currently being sent 


0. 


. .2 


n 


the number of packets in the concrete host’s output buffer 


0...8 


6[i] 


the address of packet i in the concrete host’s output buffer 


0. 


. . 1 


mo 


the number of packets containing an IP address 
of type 0 in all of the buffers of the abstract hosts 


0.. 


.20 


mi 


the number of packets containing an IP address 
of type 1 in all of the buffers of the abstract hosts 


0...8 



0 - an address of an abstract host which the concrete host previously chose; 

1 - an address of an abstract host which is the concrete host’s current choice; 

2 - a fresh address which is the concrete host’s current choice. 

As in the standard [10], we suppose that it takes between 0 and 1 second to 
send a packet between hosts (where the choice of the exact time delay is non- 
deterministic) . Since the abstract hosts have already picked their IP address, by 
supposing that they always defend their addresses, the concrete host will never 
receive probes. It then follows that we do not need to record the type of message 
being sent, but instead only the IP address in the message, and whether it is 
sent from the concrete host to the abstract hosts or vice versa. 

As in [29], we consider the case in which hosts use output buffers to store 
the packets they want to send. We have chosen the size of the buffers such that 
the probability of any buffer becoming full is negligible. We suppose that the 
concrete host can send a packet to all the abstract hosts at the same time and 
only one of the abstract hosts can send a packet to the concrete host at a time. 

The set of variables of our probabilistic timed automata includes both clocks 
(x, y and z) and integer variables which are described in Table 1. Note that the 
range of the integer variable probes is changed for different verification instances, 
and since the abstract IP address 2 corresponds to a fresh address chosen by the 
concrete host we need only two buffers for the abstract hosts (corresponding to 
addresses of type 0 and 1). 

Probabilistic Timed Automata for the Protocol. In the following, we 
describe the modelling of the reset version of the protocol only. We use two 
probabilistic timed automata, one to model the concrete host and one to model 
the environment (the abstract hosts and the output buffers of all hosts) . 

The model for the concrete host is shown in Figure 1. The host commences in 
the location RECONF (the double border indicates it is the initial location); this 
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Fig. 1. Probabilistic timed automaton for the concrete host 



is a committed location, and therefore must be left immediately. In RECON F, 
the host chooses a new IP address by moving to the location CHOOSE if it has 
experienced less than ten address collisions, and to CHOOSE_WAIT otherwise. 
These transitions are labelled with the event reset to inform the environment 
that the host’s buffer is to be reset (all messages in its buffer are to be removed). 

In both CHOOSE and CHOOSEWAIT, the address selection is represented 
by the assignment ip/i:=RAND(l, 2), which corresponds to the host randomly 
selecting an IP address (using the probabilities given at the start of this section) . 
The assignment to the clock x {& uniform choice between {0,1,2}) approximates 
the random delay of between 0 and 2 made by the host before sending the first 
probe. Note that, in CHOOSEWAIT, since the host has already experienced at 
least ten address collisions, it waits 60 seconds before choosing a new address. 

In the location WAITSP the host sends N probes at 2 second intervals (the 
self- loop labelled with send). The host may also receive packets by means of 
the event rec. If it receives a packet which has a different IP address (ip^iph), 
then the host ignores the packet (and remains in WAITSP); however, if it has 
the same address, the host immediately reconfigures (moves to RECON F). When 
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n:=n — l, ip: = b[0] 
Vi<7.6[i — 1] :=6[i] 
z :=0 



Vi<7.b[i-l]:=b[i] 
n:=n — l 



mi :=7ni —1 




CONC.SEND 




IDLE 




ENV3END 


2 < 1 


ip=2 


rec 


2 < 1 




ip=0 

mg := min(mo + 1 , 20) 



rriQ >0 
urgent 
mg :=mg —1 



n<8 
send 
b[n]:=iph 
n:=n + l 




n=8 

send 





reset 

n:=0 

ip:=0 

mi:=Q 

mg := min(mg -\-mi , 20) 



Fig. 2. Probabilistic timed automaton for the environment 



sending the A^th probe, the host proceeds to location WAITSG, waits 2 seconds 
and then sends two gratuitous ARPs (re-using the variable probes to count these 
ARPs). After these ARPs have been sent, the host moves to USE. However, if 
while in WAITSG the host receives a packet with the same IP address, it moves 
to RESPOND. In this location, the host can decide to reconfigure (return to 
RECONF), or defend its IP address (by sending an ARP packet) if it has either 
not yet defended the address {defend=0) or 10 seconds have passed since it 
previously defended the address (?/>10). This defence takes the form of sending 
of a defending packet, as denoted by the send labelled transition from RESPOND 
to WAITSG. 

The model for the environment is shown in Figure 2. The dotted box labelled 
with three transitions which surrounds the model denotes that these transitions 
are available in all of the locations of the model. More precisely, in all locations, 
the environment may: receive a send event from the concrete host and, if the 
host’s buffer is not full (n < 8), the corresponding packet is added to the buffer 
(otherwise it is lost); receive a reset event and clear the buffer of the concrete 
host (n:=0) and, since we assume that the concrete host will never choose the 
same IP address twice, sets the IP address in any packet being sent or to be sent 
to type 0 (i.e. ip:=0, mi:=0 and mo:= min(mo-l-mi, 20)). 

The behaviour of the environment commences in the location IDLE. The 
transition which probabilistically moves to either IDLE or CONC_SEND corre- 
sponds to the environment sending a packet from the concrete host’s buffer. 
The urgent labelling denotes that the transition should be taken as soon as it 
is enabled, i.e. it should be taken as soon as there is something to send. Simi- 
larly, the transitions which move probabilistically to either IDLE or ENV_SEND 
correspond to an abstract host sending a packet, and are again urgent. There 
are two such transitions, since the address in the packet can either be of type 
0 (mo>0) or 1 (mi>0). For each of these transitions, the loop (remaining in 
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IDLE) corresponds to the packet being lost by the medium, while the other edge 
corresponds to the packet being sent correctly (therefore the required buffers are 
updated when one of these transitions is taken). Note that, since each of these 
transitions corresponds to a message from a different host, when more than one 
of these transitions is enabled, there is a nondeterministic choice as to which one 
is taken. We vary the probability of message loss depending on the verification 
instance. Once in either CONC_SEND or ENV_SEND, after a delay of between 
0 and 1 seconds, the model returns to IDLE; this corresponds to the message 
taking between 0 and 1 seconds to send. 

4.2 Verification Using PRISM 

In this section, we outline our results of using PRISM [17] to verify the integer- 
time model of the probabilistic timed automata of the dynamic configuration 
protocol given in Section 4.1. In the experiments, we fixed the number of hosts at 
1000 and varied both the number of probes a host sends (V), and the probability 
of message loss. Further details, including analysis for a network of 20 hosts, can 
be found at the PRISM web page [25]. The algorithms used by PRISM for 
both probabilistic and expected reachability are taken from the literature; for 
probabilistic reachability see [7], and for expected reachability see [12, 13]. 

To apply model-checking methods we must ensure that the model under 
study has only finitely-many states and is finitely branching. From the construc- 
tion given in Section 3, the integer-time model will have finitely many states. To 
ensure finite branching, we restrict the delays from N to some finite set. More 
precisely, we allow delays of duration 1 only. Then, since any transition of du- 
ration t S N can be modelled by a sequence of transitions of duration 1 and we 
restrict our attention to divergent adversaries, nothing is lost by omitting delays 
greater than 1 or equal to 0. 

Note that, because we have abstracted certain aspects of the network (for 
example, the time taken to send a message), the presented results will give 
upper and lower bounds on the performance of the protocol, for example the 
actual reachability probability will lie in between the minimum and maximum 
reachability probabilities computed for the model under study. 

Probabilistic Reachability. The probabilistic reachability property we con- 
sider is the (minimum and maximum) probability of the host using an IP ad- 
dress which is already in use by another host. The results obtained in the case of 
maximum probabilistic reachability are given in Table 2. For results concerning 
minimum reachability probabilities see the PRISM web page [25]. 

The results obtained show the expected result: increasing the number of 
probes sent decreases the probability of the host using an IP address which is 
already in use (recall that the number specified by the standard is four). When 
the probability of message loss is 0, Table 2 shows that the maximum probability 
is 0 for the the model reset (the model where the host clears its buffer) provided 
the host sends more than one probe. On the other hand, for the model no_reset 
(when the host does not clear its buffer), even if the host sends more than one 
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Table 2. Maximum probabilistic reachability results for the IPv4 protocol 



number 
of probes 
sent 


probability of message loss 


0 


0.1 


0.01 


0.001 


no_reset 


reset 


no_reset 


reset 


no_reset 


reset 


no_reset 


reset 


1 


0.01538 


0.01538 


0.01538 


0.01538 


0.01538 


0.01538 


0 .01538 


0.01538 


2 


8.0e-5 


0 


0.00298 


0.00296 


3.8e-4 


3.1e-4 


l.le-4 


3.1e-5 


3 


1.2e-6 


0 


5.6e-4 


5.6e-4 


7.2e-6 


6.2e-6 


1.3e-6 


6.2e-8 


4 


4.2e-7 


0 


l.le-4 


l.le-4 


5.0e-7 


1.2e-7 


4.1e-7 


1.2e-10 


5 


8.5e-9 


0 


2.0e-5 


2.0e-5 


9.8e-9 


2.4e-9 


8.4e-9 


2.5e-13 


6 


2.2e-9 


0 


3.9e-6 


3.9e-6 


1.9e-9 


4.9e-ll 


2.2e-9 


4.9e-16 



probe, this maximum reachability probability is greater than 0. To understand 
this result, consider the fact that, if a host does not clear its buffer, then there 
is a chance that the probes corresponding to its new IP address will get delayed, 
and hence the host will not receive a reply to these probes until after it starts 
using the address (as the probability is 0, the host will eventually get a reply). 

In the cases when message loss is greater than 0, the results again demon- 
strate that, by allowing the host to clear its buffer, the performance of the 
protocol improves; that is, the maximum reachability probability decreases (our 
experiments also show that the minimum probability increases, see [25]). 

Expected Reachability. We consider the expect cost of a host choosing an IP 
address and using it. As in [8], the cost is defined as the time to start using an IP 
address plus an additional cost (10®) associated with the host using an address 
which is already in use. Note that the choice of the value of this additional cost 
will depend on how damaging it is for two hosts to use the same IP address, 
which in turn depends on the network and the nature of its devices. 

The results for the model reset are presented in Figure 3. Note that, the 
model no_reset produced similar results, although the minimum costs are smaller 
and the maximum costs are larger (see [25] for further details). This is to be 
expected, since the results for probabilistic reachability show that, when the 
host does not clear its buffer, there is a greater chance of it using an IP address 
which is already in use, and hence of incurring a greater cost. 

These results are similar to those of [8]: as the message loss probability in- 
creases, one must increase the number of probes sent in order to reduce the 
expected cost; however, by sending too many probes the expected cost may then 
start to increase. The rationale for this is that, although increasing the number 
of probes sent decreases the probability of the host using an IP address which is 
already in use (that is, decreases the chance of incurring the additional cost), it 
increases the expected time to choose an IP address (sending more probes takes 
more time). 
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messages lost with probability 0.1 



messages lost with probability 0.01 



messages lost with probability 0.001 





Fig. 3. Expected cost results for the IPv4 protocol 



5 Conclusions 

We have presented results demonstrating that digital clocks are sufficient for 
analysing a large class of probabilistic timed automata and performance prop- 
erties. Since many of today’s protocols include both timing and probabilistic 
behaviour, this approach is widely applicable, a fact which we illustrate by 
analysing the performance of the IPv4 dynamic configuration protocol. 

Future work could consider extending the cost functions in order to vary the 
rate of cost accumulation in different locations, as in priced or weighted timed 
automata [5, 2]. There are still limitations as to the size of the models that 
can be considered using digital clocks. In the case of probabilistic reachability, 
a generally more efficient approach is to consider zones, and in particular the 
backwards reachability approach introduced in [20]. The application of zones to 
the verification of priced timed automata [23] may be instructive to this line of 
research. 
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Abstract. In this article, we propose an interval based algebra for de- 
tection of complex events. The algebra includes a strong restriction policy 
in order to comply with the resource requirements of embedded or real- 
time applications. We prove a set of algebraic properties to justify the 
novel restriction policy and to establish the relation between the unre- 
stricted algebra and the restricted version. Finally, we present an efficient 
algorithm that implements the proposed algebra. 



1 Introduction 

A wide range of applications, including active databases, traffic monitoring sys- 
tems and rule based embedded systems, are based on the detection of events 
that trigger an appropriate response from the system. Events can be simple, 
e.g., sampled directly from the environment or occuring within the system, but 
it is often necessary to react to more sophisticated situations involving a number 
of simpler events that occur in accordance with some pattern. 

A standard way in which to allow systems to react to sophisticated situations 
is to introduce complex events by means of an event algebra. These complex 
events can then be used to trigger actions just like simple events. A benefit of 
this method is that the mechanisms handling event detection are separated from 
the rest of the system logic. 

Since our primary interest concerns embedded applications and systems with 
strict timeliness requirements, it is essential that the event detection can be 
implemented with limited resources. As a result, the algebra must be restricted 
so as to only detect a subset of all possible occurrences of complex events. This 
can be achieved by applying a suitable restriction policy, as will be described in 
the next section. 

A great many event algebras have been proposed for different applications. 
Most of them include operators such as disjunction, sequence, conjunction and 
some form of negation, but the semantics of these operators vary. Further, many 
systems add to these some operators of their own. Restriction policies are typi- 
cally informally defined and little effort spent determining the algebraic proper- 
ties of the algebra. 
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We propose an interval based event algebra with well-defined formal seman- 
tics, and with a restriction policy strong enough to make it effectively imple- 
mentable. We also state a number of algebraic properties, including a clear de- 
scription of the relation between the unrestricted algebra and the restricted 
version. Finally, we present an efficient algorithm that implements the proposed 
algebra. 

The rest of this paper is organised as follows: Section 2 introduces techniques 
commonly used in event algebras and presents related work. The algebra is 
defined in Section 3, followed by a presentation of the algebraic properties in 
Section 4. Section 5 presents the algorithm, and Section 6 concludes the paper. 

2 Event Algebras 

The following operations, or variants of them, are found in most event algebras. 
Disjunction of A and B means that either of A and B occurs, here denoted A\/B. 
Conjunction means that both events have occurred, possibly not simultaneously, 
and is denoted A -\- B. The negation^ denoted A — B, occurs when there is an 
occurrence of A during which there is no occurrence of B. Finally, a sequence 
of A and B is an occurrence of A followed by an occurrence of B, and is denoted 
A-B. 

Examples of how event algebras are used in the area of active datebases 
include SAMOS [5], Snoop [3] and Ode [6]. These three systems differ primarily 
in the choice of detection mechanism. SAMOS is based on Petri nets, while Snoop 
uses event graphs. In Ode, event definitions are equivalent to regular expressions 
and can be detected by state automata. 

A formalized schema for this type of event detection, including a definition 
of the operations and restriction policies of Snoop using this schema, has been 
defined by Mellin and Andler [10]. Liu et al. uses Real Time Logic to define 
the semantics of an event detection system. As a result, the conditions for event 
occurrences can be transformed into timing constraints and handled by general 
timing constraint monitoring techniques [9] . 

The event algebra developed by Hinze and Voisard is designed to suite event 
notification service systems in general [7] . Their algebra contains time restricted 
sequence and conjunction, which permits events like A occurs less than t time 
units before B to be expressed. 

In the area of knowledge representation, similar techniques are used to reason 
about event occurrences. Interval Calculus introduce formalised concepts for 
properties, actions and events, where events are expressed in terms of conditions 
for their occurrence [2]. Event Calculus [8] also deals with the occurrences of 
events, but, as in the Interval Calculus, the motivation is slightly different from 
ours. Rather than detecting complex events as they occur, the focus of Event 
Calculus is the inferences that can be made from the fact that certain events 
have occurred. 
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2.1 Restricted Detection 

A very straightforward definition of the sequence operator is that the sequence 
A; B should occur whenever A occurs and then B occurs. Using this definition, 
three occurrences of A followed by two occurrences of B would generate six 
occurrences of the sequence. While this may be acceptable, or even desirable, 
in some applications, the memory requirements (each occurrence of A must be 
remembered forever) and the increasing number of simultaneous events means 
that it is unsuitable in many cases. Also, it is argued that many applications are 
interested only in a subset of the instances that are generated by this definition. 

One way to deal with this is to define the event algebra in two steps. The 
operations are defined in an unrestricted, straightforward way like in our example 
above. Then a restriction policy is defined. This acts like a filter, so that only 
a subset of the occurrences allowed by the unrestricted definition are detected. 
For example, the restriction policy could state that only the latest occurrence 
of A are allowed to create an occurrence of A; B when B occurs. 

This type of restriction based methods are for example used by Snoop [3] and 
in the algebra proposed by Hinze and Voisard [7] . Zimmer and Unland present 
a formal restriction framework in which the event algebras of Snoop, SAMOS 
and Ode are compared [11]. 

2.2 Interval-Based Event Detection 

Single point detection means that every complex event, including those that 
occur during a time interval, is associated with a single time point (the time of 
detection, i.e, the end of the occurrence interval). Galton and Augusto [4] showed 
that this results in unintended semantics for some operation compositions. 

For example, using single point detection an instance of the event A; {B; C) 
is detected if B occurs first, and then A followed by C. The reason is that these 
occurrences cause a detection of B; C which is associated with the occurrence 
time of C. Since A occurs before this time point, an occurrence of A; {B; C) is 
detected. 

This problem can be solved by associating the occurrence of a complex event 
with the occurrence interval, rather than the time of detection. In this setting, 
the sequence A; B can be defined to occur only if the intervals of A and B are 
non-overlapping. In our example, no occurrence of A; (B; C) would be detected, 
since A occurs within the interval associated with the occurrence of B\C. 

Most event algebras, especially in the area of active databases, use single 
point detection. An interval based version of Snoop has been developed by 
Adaikkalavan and Chakravarthy [1], and the work by Mellin and Andler is also 
based on intervals [10]. 

3 The Event Algebra 

The system is assumed to have a pre-defined set of primitive events that it should 
be able to react to. These events can be external (sampled from the environment 
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or originating from another system) or internal (such as the violation of a con- 
dition over the system state, or a timeout), but the detection mechanism does 
not distinguish between these categories. 

We assume occurrences of primitive events to be instantaneous and atomic, 
and allow occurrences to carry values. This value could for example identify 
at which external device the event occurred, or be some measured value from 
the environment. The values are not manipulated in any way by the detection 
mechanism, but simply forwarded to the part of the system that reacts to the 
detected events. An occurrence of a primitive event is represented by the tuple 
(u, r), where v is the value {v belongs to some arbitrary domain of values), and r 
is the time of the occurrence. We assume a discrete time modelled by the natural 
numbers. 

3.1 Basic Concepts 

From the simple events, represented by a set I of identifiers, expressions repre- 
senting complex events can be constructed as follows. 

Definition 1. Given a set X of identifiers we define: 

— If A € X, then A is an event expression. 

— If A and B are event expressions, so are AW B, A + B, A — B and A; B. 

The complex event expressions in the definition represent disjunction, conjunc- 
tion, negation and sequence, respectively. 

Definition 2. An event instance is a set of value-time tuples. A primitive event 
instance is a singleton set. For an event instance a, we define: 

start{a)= (r) 

end{a) = Max^.^,T)ea (t) 

From the definition follows that for any primitive event instance a, start(a) = 
end{a). Non-primitive event instances are considered to occur throughout an 
interval from the earliest of the included primitive event instances, to the latest 
one. 

All instances of a particular event form an event stream. The semantics of the 
algebra, presented below, associates with each event expression a corresponding 
event stream. 

Definition 3. An event stream is a set of event instances. An event stream A is 
said to he non-simultaneous if all instances have different end times. A primitive 
event stream is a non-simultaneous event stream containing only primitive event 
instances. 
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3.2 Unrestricted Semantics 

Definition 4. For an event stream S and an event instance a, define 
empty{S, a) to hold iff there is no s G S such that start{a) < start(s) and 
end{s) < end{a). 

The following four functions over event streams form the core of the algebra 
semantics, as they define the basic characteristics of the four operations. 

Definition 5. For event streams S and T, define: 

dissem(S, T) = S' U T 

consem{S, T) = {s U t \ s G S A t G T} 

negsem{S, T) = {s \ s G S A empty{T, s)} 

seqsem{S, T) ={sUt\sGSAtGTA end{s) < start{f)} 

Definition 6. An interpretation is a function that maps each identifier in X to 
a primitive event stream. 

Definition 7. The unrestricted meaning of an event expression for a given in- 
terpretation S is defined as follows: 

[A]-5 = S(A) ifAGl 

[A V B]^ = dissem([A]'^ , [5]“^) 

[A B]^ = consem{[A]^ , [5]“^) 

[A — B]^ = negsem([A]^ , 

[A; B]^ = seqsem([A]^ , [5]“^) 

To simplify the presentation, we will use the notation [A] instead of [A]*^ when- 
ever the choice of S is obvious or arbitrary. 



3.3 Restricted Semantics 

As discussed in the introduction, due to efficiency considerations we have to 
restrict the detection to a subset of the instances defined by the unrestricted 
semantics. As a first step, we remove simultaneous instances of an event stream 
(i.e., instances a and a' of the same event stream with end{a) = end{a')). In 
order not to lose the desired algebraic properties, this filtering must be done 
carefully. 

Definition 8. Let remsim be any function over event streams such that the 
following holds. For an event stream S, remsim(S) is a minimal subset of S such 
that for any element s G S there is an element s' G remsim(S) with start(s) < 
start(s') and end{s) = end{s'). 

Informally, from a number of instances with the same end time, we keep only 
one with maximal start time. Using discrete time ensures that such a function 
exists. 
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For all operations except sequence, this restriction is enough to allow an 
efficient implementation (negation does not need any restriction at all). For 
sequence, however, we also have to deal with the problem that in the unrestricted 
version, each occurrence of the first argument is used over and over again in 
combination with all subsequent instances of the second argument. This means 
that every instance of the first argument must be stored throughout the system 
lifetime, thus precluding an implementation with limited resources. 

Definition 9. Let restrict he any function over event streams such that the 
following holds. For an event stream S , restrict{S) is a minimal subset of S 
such that for any element s € S there is an element s' € restrict{S) with 
start{s) < start(s') and end{s') < end{s). 

Informally, when detecting a sequence A; B, an instance of A can only be com- 
bined with the earliest possible instance of B. Similarly, an instance of B can 
only be combined with the latest possible instance of A. This is similar, but not 
equivalent, to the recent context of Snoop. 

Definition 10. The restricted meaning of an event expression for a given in- 
terpretation S is: 

[Af =S{A)ifAGl 

|A V 5]“^ = remsim{dissem{lAj^ , 

{A 5]“^ = remsimlconsemdA]^ , 1^1'^)) 

\a - = negsemdAj^, 

lA; = restrict{seqsem{lA]^ , I^]'^)) 

As in the unrestricted version, we will use the notation |A] instead of 
whenever the choice of S is obvious or arbitrary. 

Example 1. To illustrate the difference between the unrestricted and the re- 
stricted semantics, these tables show the event instances of A and B (which we 
assume to be primitive, so [A] = |A] and \B] = |B]), together with the corre- 
sponding instances of the complex events A-l-i? and A; B, using both unrestricted 
and restricted semantics. 
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[^] 

[B] 

[A;B] 
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' 1 

1 1 

1 1 

1 1 

1 1 
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4 Algebraic Properties 

A main concern regarding the restriction policy has been to ensure that the 
restricted algebra should comply with the algebraic laws that intuitively should 
hold for an event algebra. Disjunction and sequence should be associative, con- 
junction should be distributive over disjunction, etc. This is not the only re- 
quirement, however, since it would be trivially satisfied by a restriction policy 
that simply filters away all instances. The restriction policy should remove as 
few instances as possible, while still ensuring the desired algebraic properties 
and allowing an implementation with bounded resources. More specifically, we 
want a theoretical description of the relation between the unrestricted semantics 
and the restricted version. 

The following theorem justifies the proposed restriction policy. The subset 
result is not trivial, since with a different restriction policy |B] C [B] could 
easily mean that |A — i?] D [A — B], The second statement ensures that our 
restriction policy does not remove too much. Every removed instance leaves some 
trace in the restricted version, as the interval between the start and end time of 
the removed instance must be non-empty. 

Theorem 1. For any event expression A, the following holds: 

1^1 c [A] 

a) a € [A] => {start{a) < start{a') A end{a') < end{a)) 

Proof. We prove the theorem by structural induction over expressions. As a base 
case, both statements hold trivially for any primitive event expression since 
|A] = [A] when A G T. For the inductive case, assume that both statements 
hold for event expressions Ai and A2. From Definition 5 , and the fact that 
restrict(P) C P and remsim{S) C S, it follows that statement i) holds for Ai V 
A2, Ai -|- A2 and Ai; A2. 

In order to show that statement i) holds for negation, take an arbitrary a G 
|Ai — A2]. Then a G |Ai] and empty{\A2\,a). By assumption i), this means that 
a G [Ai] and assumption ii) implies empty {[A2], a). Thus, a G negsem{[Ai], [A2]), 
so a G [Ai — A2] which means that we have |Ai — A2] C [Ai — A2]. 

Continuing the inductive case with statement ii), we consider first the case of 
sequence. We take an arbitrary a G [Ap, A2] which implies a = aiUa2 where oi G 
[Ai] and 02 G [A2] with end{ai) < start{a2). By assumption ii), there are in- 
stances a’l G |Ai] and a'2 G IA2] such that start{ai) < start{a’f) and end{a’f) < 
end{ai) for i G { 1 , 2 } and thus a[ U G seqsem{\Ai\, IA2]). Then, by the defi- 
nition of restrict, there must be some element a' G restrict{seqsem{lAil, IA2])) 
with start{a'i) < startin') and end{a') < endi^a^)- So, we have found an in- 
stance a' G |Ai; A2] for which start{a) = start{a\) < start{a'i) < start(a') and 
end(a') < end(ay < end{a2) = end{a). 

For negation, we take an arbitrary a G [Ai — A2]. This implies a G [Ai] 
and empty ([A2], a), which by assumption i) means that empty(|A2], a). By as- 
sumption ii), there is an instance a' G |Ai] with start{a) < startin') and 
end(a') < end{a). We have empty(|A2], o'), and thus a' G neysem(|Ai], IA2]). 
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So, we have found an instance a' S |Ai — A2I for which start{a) < start{a') and 
end{a') < end{a). 

The proofs for disjunction and conjunction are similar to the cases above, and 
have been left out due to space limitations. Together, this proves by induction 
that both statements hold for any event expression A. □ 

In order to reason about algebraic properties like associativity, etc. we must 
define a relaxed concept of equivalence. As a result of the restriction policy, the 
two sets |A; [B] C)] and |(A; B); C] are not necessarily equal. However, we can 
show that for every instance of |A;(B;C')] there is an instance of |(A;B);C'] 
with the same start- and end time, and vice versa. This means, for example, that 
in systems where events are used to trigger response actions, the two expressions 
would trigger actions at the same time (although possibly with different values). 
This time based notion of equality is formalised as follows. 

Definition 11. For event instanees a and b, event streams S and T , and event 
expressions A and B, define: 

a=b iff start{a) = start{b) and end{a) = end{b) 

S = T iff {{start(a) , end{a)) | a G S'} = { {start (b) , end{b)) \ b GT} 
A^B ^ff {Aj^ [B] 

Trivially, = in an equivalence relation. Moreover, we will show that it satisfies 
the substitutive condition, and hence defines structural congruence over event 
expressions. For the proof, we need the following lemma. 

Lemma 1. For event streams such that S = S' and T = T' , we have: 

dissem{S,T) = dissem{S' ,T') negsem{S,T) = negsem{S' ,T') 

eonsem{S,T) = consem{S' ,T') remsim{S) = remsim{S') 

seqsem{S,T) = seqsem{S' ,T') restriet{S) = restrict{S') 

Proof. The four equivalences regarding dissem, eonsem, etc. follow trivially from 
the fact that Definition 5 only considers start and end times. For the remsim 
equivalence, take an arbitrary a € remsim{S). Then a S S so there is an a' € S' 
with a = a' . The definition of remsim implies that there is some b € remsim{S') 
such that start{a') < start{b) and end{b) = end{a'). In the same way, there 
is a corresponding element b' G S such that b = b' so there is some element 
c G remsim{S) with start{b') < start{c) and end{c) = end{b'). 

We have two elements a and c in remsim(S) with start{a) < start{c) and 
end{a) = end{c). Assuming a c, the set remsim{S) — {a} meets the requirement 
in the definition of remsim, contradicting the minimality. Hence, we must have 
a = c, which implies start{a) = start{b). So, for an arbitrary a € remsim{S) we 
have found a 6 € remsim{S') with a = b, and hence remsim{S) = remsim(S'). 
The proof of the restrict equivalence is very similar to the one above. □ 

Theorem 2. If Ai = A} and A2 = A '2 then we have {A\ V A2) = (A} V A' 2 ), 
(Ai -|- A2) = (A'l + AI2), (Ai — A2) = (A'l — A'2) and (Ai; A2) = (A}; A^ . 

Proof. This follows trivially from Lemma 1 and Definition 10. □ 



An Interval-Based Algebra for Restricted Event Detection 



129 



Using the weak equivalence, we can formulate a number of algebraic laws. 
Theorem 3. For any event expressions A, B and C , the following laws hold: 



Rl : 
R2 : 
i?3 : 
i?4 : 
i?5 : 
R6 : 
R7 : 
R8 : 
R9 : 
RIO 
Rll 
R12 



Ay B ^ 
AV A ^ 
Ay {By C) ^ 
A-{B-C) - 
A+B ^ 
A + A ^ 
A + (B + C) ^ 
A+(ByC) ^ 
(AyB) + C ^ 
(AyB)-C ^ 
(A-B)-B ^ 
A-(ByC) ^ 



By A 
A 

{Ay B)yc 
{A-B)-C 
B + A 
A 

{A + B) + C 
{A + B)y{A + C) 
{A + C)y{B + C) 
{A-C)y{B- C) 
A-B 

{A-B)-C 



Proof. Rl, R2 and R3 follow trivially from Definitions 10 and 5 and the definition 
of remsini. For R4, we first take an arbitrary d G |A; {B; C)]. Using Theorem 1 it 
is straightforward to show that d € [(A; B ) ; C] which implies that there is some 
d' € |(A;i?);C'] with start{d) < start{d') and end{d') < end{d). In the same 
way, this implies that there is some d" G \A] {B; C)] with start{d') < start{d") 
and end{d") < end{d'). The minimality condition in the definition of restrict 
means that we must in fact have d = d" , which implies d = d' . Thus, for an 
arbitrary d G [A; {B] C)] there is ad' G |(A; B); C] such that d = d' . In the same 
way we can show that for an arbitrary d G |(A; B)-, C] there is a d' G |A; {B] C)] 
with d = d' . 

R5 and R6 follow trivially from Definitions 10 and 5 and the definition of 
remsim. The proofs of Rl and R8 are very similar to that of i?4. i?9 follows 
trivially from i?5 and i?8. 

For i?10, we take an arbitrary d G |(AVi3) — C]. This means that d G |AVi?] 
and empty{\C\,d). Thus either d G |A] or d G |i?], which means that d G |A— C] 
or d G — C], but in both cases we have d G dissem{\A — C], |i? — C]). 
Thus there is some d' G |(A — C) y {B — C)] with start{d) < start{d') and 
end{d) = end{d'). Since d' G dissem{\A\, |B]), by minimality of remsim we 
must have d = d' . In a similar way we can show that any d G |( A — C) V (i? — C)] 
implies the existence of an d' G |(A V B) — C] such that d = d'. 

i?ll follows trivially from Definitions 10 and 5. For i?12, if a G \A — {B y 
C)] we have a G |A] and empty{\B V C],a). By Theorem 1, we must have 
empty{[By C], a) and thus, empty{\B\,a) and empty{\C\, a) . Then a G |A— i?], 
and a G |(A — B) — CJ. Starting instead with an a G |(A — B) — CJ, this means 
a G |A] , empty{ |B] , a) and empty{ [(7] , a) . Then empty{ {By C] , a) and thus 
aGlA-{ByC)l □ 
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5 Event Detection Algorithm 

For the detection algorithm, we let 1 denote the first time point at which events 
may occur, using 0 only when referring to the time of system initialisation. 

To simplify the algorithm presentation, we use the following auxiliary func- 
tions {match is not well-defined, but any function that meets the condition can 
be used). 



filter{y, q) = {e | e S g A end{e) < start{y)} 

The symbol () is used to represent a non-occurrence, and we use the symbol 
when referring to the current time in the algorithm. Since each operator occur- 
rence in the expression requires its own state variables, we simplify the presen- 
tation by using variables that are indexed with subexpressions. Thus, for each 
subexpression A, va denotes the v variable of A. An equivalent method would 
be to number each subexpression, and use ordinary integer indexed variables. 

5.1 Algorithm Description 

Figure 1 presents the algorithm for detecting an event expression E. The al- 
gorithm is presented in a meta format that can be instantiated for any fixed 
expression. The top level conditionals can be evaluated statically, which per- 
mits statically unrolling the foreach statement. All indices can also be evaluated 
statically. A concrete example of this is given in Example 2. 

In the initial state, at time 0, let wa = za= {), tA = 0 and qA = 9 for every 
subexpression A in E. Each time instant, the algorithm takes as input the current 
instances of primitive events (provided by the get function) and computes the 
current instance of E, if there is one. The following theorem formalises the output 
of the algorithm. 

Theorem 4. For any subexpression A in E, after executing the algorithm at 
time instants 1 to t, va = a, if there is an instance a € |A] with end{a) = r. If 
there is no such instance in |A], va= ()• 

Proof. We only outline very informally the core of the correctness proof, provid- 
ing some intuition to the relation between the algorithm and the formal seman- 
tics. When processing a subexpression A on the form By C, vb and vc already 
contain the current instances of B and C, respectively, since the original expres- 
sion is processed bottom-up. The algorithm assigns to va the one with latest 
start time, which according to the definition of remsim is the current instance 
of A. 

Conjunctions are handled by storing in w and z the instances with latest start 
time from B and C, respectively. If there is a current instance of B or C, the 




0 if no such instance exists in 5(A) 

?/ U an element in filter{y, q) with maximum start time 
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For each subexpression A in _E, in bottom-up order, do the following: 
if A € X then va ’■= get(A,S,r‘^) 
if A is B V C then 

if vb = () or (vc 7^ () and atart{vB) < start{vc)) 
then Va '■= vc 
else Va ~ vb 

if A is B + C then 

if Vb 7^ () and {wa = () or start{wA) < atart{vB)) then wa '■= vb 
if Vc 7^ 0 and {za = {) or atart(zA) < atart{vc)) then za ■= vc 
if Vb / 0 and {{vc = () and 2 a / ()) or 

{vc 7^ 0 and atart{vc) < atart{vB))) 
then Va '■= vb U za 

if vc ^ 0 and {{vb = {) and wa ()) or 

{vb 7^ {) and atart{vB) < atart{vc))) 
then Va '■= wa U vc 

if A is -B — C then 

if Vc 7 ^ () and tA < atart{vc) then tA ■= atart{vc) 
if Vb / () and Ia < atart{vB) then va '■= vb 

if A is B\C then 
if vc = 0 then va ~ {} 

else VA ■■= match{vc,qA)-, Qa := Qa - filter{vc , Qa) 
if Vb 7^ () and Ia < atart{vB) 

then qA ■— qA U {r^s}; tA ■= atart{vB) 



Fig. 1. Meta-algorithm for the detection of E under the interpretation 5 



current instance of A is formed by combining instances from B and C such that 
at least one is a current instance, and such that the start time of the combination 
is as late as possible. 

For negations, the variable t contains the latest start time of all instances 
of C that has occurred until now. The current instance of B becomes the current 
instance of A if it starts later than t, which conforms to the definition of negsem. 

To deal with sequences, the variable q stores instances of B that has not yet 
been possible to match with any instance of C. In addition, the variable t is 
used to ensure that no instances in q are fully overlapping. If there is a current 
instance of C, it is combined with the best matching instance in q to form the 
current instance of A. Also, the definition of restrict dictates that instances of B 
that end before the start time of the current instance of C, may not be used to 
form future instances of A. Hence, these are removed from q. □ 
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vi ■.= get{A,S,r'^) 

V2 := get{B,S,T'^) 

V3 ~ get{C,S,T’^) 

if i>i = () or {v2 7^ {) and start{vi) < start{v2)) 
then U4 := V2 
else V4 := vi 

if V3 7^ () and fs < start{v3) then ts ;= start{v3) 
if V 4 7 ^ () and ts < start{v 4 ) then vs := V 4 



Fig. 2. Instantiated algorithm for detecting {A\J B) — C 



Example 2. Assume we are detecting the event {Ay B) — C. After instantiating 
the meta-algorithm, we can unroll the foreach statement and statically evaluate 
the top-level conditionals. We also instantiate the subexpression indicies with 
corresponding integers. The resulting algorithm is presented in Figure 2. 



6 Conclusions and Future Work 

We have developed an interval based algebra for detection of complex events. 
The algebra includes a strong restriction policy in order to comply with the 
resource requirements of embedded or real-time applications. The restriction 
policy is justified by a theorem stating that it never adds instances, compared 
to the unrestricted semantics. Also, every removed instance leaves some trace 
in the restricted version, as the interval between the start and end time of the 
removed instance must still contain at least one instance. 

An event detection algorithm that implements the proposed algebra was 
presented. In this algorithm, each disjunction, conjunction and negation in the 
event expression requires a constant amount of storage, and contributes with 
a constant factor to the computation time. For the sequence A; B, on the other 
hand, a set of instances must be stored and the computation time is proportional 
to the size of this set. This is a result of Theorem 1, since it is not enough to 
store a single best instance of A (i.e., the one with latest start time). Once an 
instance of B occurs, it must be combined with the best allowed instance of A. 
This might not be the best instance of A that has occurred so far, if the interval 
of B is long. 

This is clearly a weakness, but as it follows from one of the desired properties 
of the restriction, we have to look for other ways to ensure limited resource 
demands. The maximum size of the storage set for A; B depends on the relative 
frequence of occurrences in A and B. Roughly, if no more that n instances of A 
can occur during the longest possible interval in which no B occurs, n is the 
maximum size of the storage set. 

We are currently formalising this idea, including how to calculate frequence 
bounds for complex events from frequence bounds of the primitive events. This 
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seems to be possible for all expressions except negations, so there is still a prob- 
lem with expressions like A] (B — C). If C and B occur together, B — C never 
occurs at all, so every instance of A is stored forever. 

Additional future work includes finishing the formal proof of Theorem 4. We 
are also considering extending the algebra with additional operations, especially 
time limited versions of sequence and conjunction. 
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Abstract. In this paper, we introduce a dense time process algebraic 
formalism with support for specification of (shared) resource require- 
ments and resource schedulers. The goal of this approach is to facili- 
tate and formalize introduction of scheduling concepts into process al- 
gebraic specification using separate specifications for resource requiring 
processes, schedulers and systems composing the two. The benefits of 
this research are twofold. Firstly, it allows for formal investigation of 
scheduling strategies. Secondly, it provides the basis for an extension of 
schedulability analysis techniques to the formal verification process, facil- 
itating the modelling of real-time systems in a process algebraic manner 
using the rich background of research in scheduling theory. 



1 Introduction 

Scheduling theory has a rich history of research in computer science dating back 
to the 60’s and early 70’s. Process algebras have been studied as a formal the- 
ory of system design and verification since about the same time. These theories 
have remained separate until recently some connections have been investigated. 
However, combining scheduling theory in a process algebraic design still involves 
many theoretical and practical complications. In this paper, building upon pre- 
vious attempts in this direction, we propose a process algebra for the design of 
scheduled real-time systems called PARS (for Process Algebra with Resources 
and Schedulers). Previous attempts to incorporate scheduling algorithms in pro- 
cess algebra either did not have an explicit notion of schedulers such as that 
of [3, 12, 13] (thus, coding the scheduling policy in the process specification) 
or scheduling is treated for restricted cases such as those of [4, 10] (that only 
support single-processor scheduling). 

Our approach to modelling scheduled systems is depicted in Figure 1. Process 
specification (including aspects such as causal relations of actions, their timing 
and resource requirements) is separated from specification of schedulers. System 
level specification consists of applying schedulers to process specifications, on 
the one hand, and composing scheduled systems, on the other hand. A distin- 
guishing feature of our process algebra is the possibility of specifying schedulers 
as process terms (similar to resource-consuming processes). Another advantage 
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Scheduled syatem 



Fig. 1. Schematic view of the PARS approach 



of the proposed approach is the separation between process specification and 
scheduler specification that provides a separation of concerns, allows for spec- 
ifying generic scheduling strategies and makes it possible to apply schedulers 
to systems at different levels of abstraction. Common to most process algebraic 
frameworks for resources, the proposed framework provides the possibility of 
extending standard schedulability analysis to the formal verification process. 

The paper is organized as follows. We define the syntax and semantics of 
PARS in three parts. In Section 2, we build a process algebra with asynchronous 
relative dense time (i.e., with the possibility of interleaving timing transitions) 
for process specification that has a notion of resource consumption. In Sec- 
tion 3, a similar process algebraic theory is developed for schedulers as resource 
providers. Section 4 defines application of a scheduler to a process. In each sec- 
tion, we first give the formal syntax and semantics of our language and then 
explain its usage using different aspects of one or more examples. In Section 5, 
we compare our approach to several recent extensions of process algebra with 
resources and finally. Section 6 concludes the results and presents future research 
directions. Due to space restrictions, in this paper, we leave out a few details of 
the theory and some definitions. We give informal explanation for the eliminated 
parts and refer the interested reader to [14] for a detailed version of this paper. 

2 Process Specification 

The first part of specification in PARS consists of process specification which 
represents the behavior of the system with the resource requirements of its basic 
actions. In our framework, resources are represented by a set R. The amount of 
resources required by a basic durational action is modeled by a function p \ R ^ 
IR-^ (indicating required quantity of each resource). We assume the resource 
demand to be constant during execution of basic actions. The resources provided 
by schedulers are modeled using a function J) : R ^ Active tasks (actions 

currently being executed) that require or provide resources are represented by 
multisets of such tasks in the semantics. As a notational convention, we refer 
to the set of all multisets as M. (We assume that the type of elements in the 
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P ::=5\ p{t) I P ; P I P II P I P III P I P + P I 

at{P) I pX.P{X) I l^^^P(xt) I dA.t{P) \id-.P 
p£{Ax{R^ 1R^°)) U {e}, t e 1R^°, Act <Z A, xt £ Vt, T C id G N 



Fig. 2. Syntax of PARS, Part 1: Process Specification 



multiset is clear from the context.) The operator + and — are overloaded to 
represent addition and subtraction of multisets. 

The syntax of process specification in PARS is presented in Figure 2. It re- 
sembles a relative dense time process algebra (such as relative dense time AGP 
of [2]) with empty process (e(0)) and deadlock (5). The main difference with such 
a theory is the attachment of resource requirements to basic actions (most pro- 
cess algebras abstract from resource requirements by assuming abundant avail- 
ability of shared resources) and our interpretation of time as duration of action 
execution. Basic action e(t) represents idling which lasts for t time and does not 
require any resource. Other basic actions (a, p)(t) are pairs of actions from the 
set A together with the respective resource requirement function p and the tim- 
ing t during which the resource requirement should be provided to the action. 
Thus, the time annotation t should be interpreted as a duration, corresponding 
to the time duration which action a is to be executed; in standard timed pro- 
cess algebras, time annotations are usually interpreted as (absolute or relative) 
points in time corresponding to the occurrence or completion of an action. Terms 
F ; P, P II P, P III P, P -I- P represent sequential composition, abstract, and 
strict parallel composition, and nondeterministic choice, respectively. Abstract 
parallel composition refers to cases where the ordering (and possible preemption) 
of actions has to be decided by a scheduling strategy. Strict parallel composition 
is similar to standard parallel composition in timed process algebra in that it 
forces concurrent execution of the two operands. The deadline operator applied 
to process P in (Jt{P) specifies that process P should terminate within t units 
of time or it will deadlock. Recursion is specified explicitly using the expression 
pX.P{X) where free variable X may occur in process P and is bound by pX. 
The term P{xt) specifies continuous choice of Xt (from the set of timing 
variables Vt) over set T. Similar to recursion, variable Xt is bound in term P 
by operator In this paper, we are only concerned with closed terms (pro- 

cesses that do not have free recursion or timing variables) . To prevent process P 
from performing particular actions in some given set Act (in particular, to force 
synchronization among two parallel processes, see e.g., [2]), the encapsulation 
expression dAct{P) is used. Using the id : construct, process terms are decorated 
with identifiers (natural numbers, following the idea of [4]) which serve to group 
processes for scheduling purposes. Note that an atomic action is neither required 
to have an identifier, nor its identifier needs to be unique. Later on, in the se- 
mantics, a process identifier is augmented with a few estimations of performance 
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measures of processes, namely relative deadline and worst-case execution time. 
Such a semantic identifer, in turn, is referenced by the scheduler specification 
domain in order to devise scheduling strategies. Precedence of binding among 
binary composition operators is ordered as ;, |||, ||,-|- where ; binds the strongest 
and + the weakest. Unary operators are followed by a pair of parentheses or 
they bind to the smallest possible term. 

The operational semantics of process specification is given in Figure 3. States 
are process terms and the semantics has two types of transitions. First, time 
passage (by spending time on resources or idling) where M is the multiset 
that represents the amount of resources required by the actions participating in 
the transition. Elements of M are of the form {ids,p), where ids is the set of 
identifiers related to the action having resource requirements p. The second type 
of transitions, ^ , represent the completion of actions. These transitions occur 
when an action has used the resources it requires for the specified amount of time. 
We do not combine resource requirements of different actions, but keep them 
separate in a multiset, since they may be provided by different scheduling policies 
(based on their respective process identifiers). We use ^ as a shorthand for 
either of the two transitions. Predicate PsJ refers to the possibility of successful 
termination of P. The semantics of process specification is the smallest transition 
relation (union of the time and action transition relations) and the smallest 
termination predicate satisfying the rules of Figure 3. 

Rules (10) and (II) specify the transitions and termination options of idling 
processes. In rule (II), 0 is a shorthand for the function mapping all resources 
to zero. Rules (AO) and (Al) specify how an atomic action can spend time on 
its resources and after that commit. The semantics of sequential composition is 
captured by (S0)-(S2). Abstract parallel composition is specified by (P0)-(P4) 
and strict parallel composition by (SP0)-(SP3). In rule (PO), t Q uses an 
auxiliary unary operator (called deadline shift) specifying that Q is getting t 
units of time closer to its deadlines. Semantics of this operator is as follows: 



(ShO) 

(Sh2) 

(Sh4) 

(Sh6) 



p{t')^P' 

t^p{t')^P' 
t » P^P' 
t:>{p-Q)^p' -Q 
{t » P) Opi P' 

t:^{POpi Q)^P' 
t-bt' » p^p' 
t' P^P' 



(Shl) 

(Sh3) 

(Sh5) 

(Sh7) 



t<t' ai>_t(t»P)4p' 
t» {at>{P))^P' 
py t:^Q^Q' 
t^{P;Q)^Q' 

Op2 (t»P)4p' 

Op2 (P)^P' 

py 

t » py 



Opi e{||.|||,+},t,Fe Op2e{pX.,y^^^,dAct,id:} 

In the above semantics, the rules for sequential composition ((Sh2) and 
(Sh3)) are in line with the intuition that in scheduling theory only ready ac- 
tions can take part in scheduling and other actions have to wait for their causal 
predecessors to commit. Function 7(0,6) in rules (P3) and (SP2) specifies the 
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( 10 )- 



(AO) 



(SO) 



(o)V 



(II)- 



e{t) 

t' < t 



t' < t 



{t-t') 



(Al) 



(a,p)(i)'^®^’’‘'(a,p)(i-i') ' '(a,p)(0)^e(0) 

^■P' .... Py Q^Q' (gg) Py QV 



P- 



P-,Q- 



(PO)- 



^P' ; Q 

P^*P' 



(SI): 



P]Q^Q' 



P-,QV 



(P3) 



p 

Q 

p- 



Q^*P' 



t » Q 



(PI)- 



p p' 



P^‘t>Q||P' 



P II Q- 
Q\\P- 



■P' Q^Q' lia,b) = c 



(SPO) 



p 



p 

M,t 



HQ- 
P' Q 



p' II Q' 



(P4) 



P 



QM+M',tp, 



Q' 



(SPl)- 



•^'IIQ 

■Q II P' 

PV_QV 

P\\QV 

P P' 



(P2) 



P^‘P' 






P 



QM+M',tp, 



Q' 



p 

Q 



(SP2) 
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Fig. 3. Semantics of PARS, Part 1: Process Specification 
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result of a synchronized communication between a and b. The semantics of ab- 
stract parallel composition deviates from standard semantics of parallelism in 
timed process algebras in that it allows for asynchronous spending of time by the 
two parties (rule (PO)). This reflects that depending on availability of resources 
and due to scheduling, concurrent execution of tasks can be preempted and se- 
rialized at any moment of time. Components not spending time on resources do 
not participate (actively) in a time transition. Rules (CO)-(Cl) provide a se- 
mantics for nondeterministic choice. Given our interpretation of time, the choice 
operator does not have the property of time-determinism (which states that 
passage of time cannot determine choices) : Starting to spend time on an action 
reveals the choice in the same way executing an action determines the choice 
in untimed process algebras. The deadline operator is defined by (D0)-(D2). 
There is no rule for (Jq{P) when P can only do a time step. This means that this 
process deadlocks (i.e., missing a deadline results in deadlock). Encapsulation 
is defined in rules (E0)-(E2) stating that the encapsulation operator prevents 
process P from performing actions in Act. Rules (RO)-(Rl) and (CCO)-(CCl) 
specify the semantics of recursion and continuous choice. Note that in the seman- 
tics of continuous choice, the choice is made as soon as the process term starts 
making a transition. Rules (IdO)-(Id2) specify the semantics of id by adding 
the semantic identifier id to the multiset in the transition, where id is the tu- 
ple {id, Dl{P), WCET{P)) consisting of the syntactic id, (an estimation of) the 
deadline, and the worst-case execution time of P. We omit detailed definitions of 
Dl and WCET. They are defined in [14] using structural induction on process 
terms. Other performance measures can extend or replace this notion of seman- 
tic identifier. In semantic rule (IdO), © stands for adding a semantic identifier 
to the set of identifiers of each resource-requirement function in the multiset. 

The standard notion of strong bisimulation is not a congruence with respect 
to the operators defined in the process language. The problem lies particularly in 
the interaction between deadlines and abstract parallel composition. In [14], it is 
shown that strong bisimulation is a congruence with respect to a restricted subset 
of the language without the deadline operator. Also, there we define a notion of 
deadline-sensitive bisimulation that is a congruence. To show how the process 
specification language is to be used, next we specify a few common patterns from 
scheduling literature [5]. 

Example 1 (Periodic and Aperiodic Tasks) First, we specify a periodic task, 
consisting of an atomic action a requiring a single CPU and 100 units of memory 
during its computation time of t, and with period of t' . 

Pi = fiX.{{a,{CPU ^ l,Mem^ 100})(t) U] e(t') ; X) 

Note that the computation time of the periodic task may be larger than the 
period (which means that any feasible scheduler must allow for task parallelism) . 
Now, suppose that the exact computation time of a is not known. However, we 
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know that the computation time is within a (possibly infinite) interval /, then 
the periodic task is specified as follows. 

P 2 = fiX.{ I {a,{CPU^ l,Mem^ 100})(xt) ||| e(t') ; X) 

Jxt&I 

In the remainder, we use syntactic shorthand p{I) instead of p{xt). 

Aperiodic tasks follow a similar pattern with the difference that instead of 
computation time, their period of arrival is not known: 

S = pX.{{b,{CPU ^ III e([0,oo)) ; A) 

If the process specification of the system consists of periodic user level tasks and 
aperiodic system level tasks (e.g., system interrupts) that are to be scheduled 
with different policies, the specification goes as follows: 

SysProc = System : (S) || User : (P 2 ) 

where System and User are distinct integer id’s for these two types of tasks. 

Example 2 (Portable Tasks) Suppose that the task a can run on different plat- 
forms, either on a dual-processor machine on which it will take 2 units of time 
and 100 units of memory (during those 2 time units) or on a single processor 
for which it will require 4 units of time and 70 units of memory (over the 4 time 
units). Then it is specified as follows: 

P = (a, {CPU ^ 2, Mem 100})(2) -k (a, {CPU 1, Mem 70})(4) 

3 Scheduler Specification 

The second part of system specification in PARS is about scheduler specifica- 
tion. In this part, we model availability of resources and the strategy to grant 
these resources to processes requiring them. This is done by using predicates re- 
ferring to properties of processes eligible for receiving the resources. The syntax 
of scheduler specification (Sc) is similar to process specification and is specified 
in Figure 4. Basic actions of schedulers are predicates {Pred) mentioning ap- 
propriate processes to be provided with resources and the amount of resources 
available (p) during the specified time (t) . The predicate can refer to the syntac- 
tic identifier, deadline or worst-case execution time of processes. In the syntax 
of Pred, Id is a variable from the set of semantic identifiers Vi (with a distin- 
guished member W and typical members Ido, I di, etc.). To refer to the specific 
process receiving the provided resources, we use W and to refer to the processes 
in its context we use other members of Vi. Following the structure of a semantic 
identifier. Id is a tuple containing syntactic identifier {Id.id), deadline (Id.Dl) 
and execution time (Id.WCET). As in the process language, the language for 
predicates can be extended to other metrics of processes. 
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Sc ::= 3 \ s{t) | S'c ; S'c | Sc || Sc \ Sc ||| Sc | Sc + Sc | 

f^^^^Sc(xt) I Sc [> Sc I Sc Sc I | | iiX.Sc{X) 

Pred ::= Id. id Op^ Num \ Id.Dl Opi time \ Id.WCET Op^ time \ Pred Op 2 Pred 
Opi ::=<! = !> Op2 ::= A | V 

s e {Pred X {R—> M-°)) U {e\,t £ xt £ Vt, time £VtVJ lR-°, Id £ Vi, Num £ IN 
Fig. 4. Syntax of PARS, Part 2: Scheduler Specification 



A couple of new operators are added to the ones in the process specifica- 
tion language. The preemptive precedence operator t> gives precedence to the 
right-hand-side term (with the possibility of the right-hand side taking over the 
execution of the left-hand side at any point) . Continuous preemptive precedence 
\xt£T gives precedence to the least possible matching of Xt S T. To be more pre- 
cise, a continuous precedence operator generates a symbolic transition system 
with all possible t £ T, but, when confronted with a process, allows a transition 
with a particular t' if the processes confronted with cannot make a transition 
with t” £ T A t" < t' . The non-preemptive counter-parts of precedence operators 
[>" and have the same intuition but they do not allow taking over of one 

side if the other side has already decided to start. Timing variables bound by 
continuous choice or continuous precedence operators can be used in predicates 
(as timing constants) and in process timings. 

The semantics of schedulers is presented in Figure 5. It induces a symbolic 
transition system that has predicates indicating resource grants on its labels. At 
this level, we assume no information about resource requiring processes that the 
scheduler is to be confronted with. Thus, the resource grant predicates specify 
the criteria that processes receiving resources should satisfy and the criteria they 
should falsify. The latter can be used to state that a process should not be able to 
perform higher priority transitions. The transition relation is of the form , 
where M is a multiset containing predicates about processes that can receive 
a certain amount of resources during time t. Elements of M are of the form 
{pred , npred ,~p) where pred is the positive predicate that the process receiving 
resources should satisfy, npred is the negative predicate that it should falsify 
and p is the function representing the amount of different resources offered. 
Rules (ScAO) and (ScAl) specify the semantics of atomic scheduler actions. 
Rule (ScAl) shows that a scheduler can provide its resources if the requiring 
process satisfies its predicate. The negative predicate of a basic scheduler is set 
to false (which is by default falsified). Rules (PrO)-(Pr2) specify the semantics 
for the precedence operator. In these rules, M Vneg pred stands for adding pred 
as a disjunction to all negative predicates in M. Enabledness of a process term 
is used as a negative predicate to assure that a lower priority process cannot 
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(ScAO) 



(PrO) 



fep)(o)V 



(ScAl) 



t' < t 



p pf 






(Prl) 



Q^'Q' 



P> q4‘p> Q' 



(Pr2) 



P^/ Qy/ 



(CPrO) 



t' €T P'{t') 



N m N A4‘V„eg(en(P(xt))AxtGLTJt,),t 



(CPrl) 



(NPrO) 



p 






0^0' 

(NPrl)^^ (NPr2) 



P> QV 

t'gp p(t')V 



p>" q4*q' 



p>" QV 



(NCPrO) 



t' &T P{t')^* P' 



t e t' £ 



(NCPrl)^llP-ffiV 



Fig. 5. Semantics of PARS, Part 2: Scheduler Specification 



take over a higher priority one. The notion of enabledness is defined as follows. 
(P— !■ stands for the possibility of performing a transition p4p' for some P' 
and X- Moreover P^ stands for its negation.) 



en{{pred, p){t)) = pred 

en{P) V en{Q) if P^ A P^ 
en{P ]Q)=< en{P) if ^(Pa/) 

en{Q) if P^ A P ^ 

en{P II <5) = en{P + Q) = en{P \> Q) = en{P Q) = en{P) V en{Q) 

= en{\ ^^^j,P{xt)) = en{\l^^j,P{xt)) = xt £ T A en{P{xt)) 



Rules (CPrO)-(CPrl) present the semantic rules for the continuous precedence 
operators. In rule (CPrO), expression [T\t is defined as G T A t' < t}. 

Note that in both preemptive precedence operators, the possibility of other op- 
tions (lower or higher priority processes) always remains after making a tran- 
sition. This allows for preempting or changing the resource provision at any 
point of time based on the processes that the scheduler is confronted with. 
Rules (NPrO)-(NPr2) and (NCPrO)-(NCPrl) specify the semantics of non- 
preemptive precedence operators. We omit the semantic rules for operators 
shared with process specification since they are analogous to those specified 
in the process specification semantics. Apart from action transition rules such 
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as (PI) and (P3) that are absent in the semantics of schedulers, the rest of the 
rules in Figure 3 remain intact for this semantics. 

Example 3 Consider the process specification of Example 1, where the system 
consists of two types of processes: User processes and system processes. Suppose 
that our execution platform can provide two processors and 200 units of mem- 
ory. System processes have priority over user processes (in using CPUs). The 
following scheduler is the first attempt to specify our scheduling strategy: 

SchMem = {true, {Mem — 200})([0, oo)) 

PrSchcpuo = {LL-id = User , {CPU — 2})([0,oo)) > 

{Mid = System, {CPU — 2})([0, oo)) 

Scho = SchMem ||| PrSchcpuo 

The above specification generates a transition system that allows arbitrary time 
transitions providing both CPUs and 200 units of memory with negative predi- 
cate false to system processes (meaning that that there is no process that can 
take over a system process). However, according to rule (PrO), for transitions 
providing CPU to user processes, the predicate t € [0, oo) A H.id = System 
is added as a negative predicate. Intuitively, this should mean that CPUs are 
provided to a user process if no system process is able to take that transition. 
However, this would prevent the user process from gaining access to its CPU 
requirement even if only a single CPU is used by a system process (thus, one 
CPU can be wasted without any reason). The following scheduler specification 
solves this problem by separating the scheduling process of the two CPUs: 

PrSchcpui = {Mid = User, {CPU — 1})([0, oo)) > 

{Mid = System, {CPU i-^- — 1})([0, oo)) 

Schi = PrSchcpui HI PrSchcpui HI SchMem 

Part of the symbolic transition system of scheduler Sch\ is depicted in Figure 6. 
Of course, part of the intuitive explanation given above remains to be formalized 
by the semantics of applying schedulers to processes where resources are provided 
to actual tasks (i.e., the symbolic transition of a scheduler is matched with an 
actual transition of a process). 

Example 4 (Specifying Scheduling Strategies) To illustrate the scheduler speci- 
fication language, we specify a few generic single-processor scheduling strategies. 
Non-preemptive Round-Robin Scheduling: Consider a scheduling strategy where 
a single processor is going to be granted to processes non-preemptively in an 
increasing order of process identifiers (from 0 to n). The following scheduler 
specifies the round-robin strategy. 



Schpip-RR = P‘X-{{fA. = n, {CPU 1 -^ 1})[0, oo) 

{{Id = l,{CPU^l})[0,oo) (W = 0,{C'PUh^ l})[0,oo))) ; X 
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Monotonic Scheduling: Consider the following process specifications of several 
periodic tasks: 



SysProc = Pq \\ Pi \\ ... \\ Pn 

P, = /rX.(2^ + l) :((a„p,)(t)) ||| (2z) : ; X 

The following scheduler specifies the preemptive rate monotonic strategy, where 
processes with the shortest period (the highest rate) have priority: 

RMSch(i, Xt) = 

{Id.id = 2t + 1 A /do = 2t A Ido.WCET = Xt,{CPU ^ 1})([0, oo)) 
RMSch = jj>oPM5'c/i(0, Xt) + . . . + RM Sch[n, xt) 

Scheduler process RMSch{i,t) specifies that the process receiving CPU should 
have an odd identifier (thus, being an action) and its corresponding period should 
have worst-case execution time t. Process RMSch states that the processes with 
the least period have precedence over the others. 

4 Applying Schedulers to Processes 

Scheduled systems are processes resulting from application of a scheduler to 
processes. Syntax of scheduled systems is presented in Figure 7. In this syntax, P 
and Sc refer to the syntactic classes of processes and schedulers presented in the 
previous sections. Term {{Sys))g^ denotes applying scheduler Sc to the system 
Sys and dues{Sys) is used to close a system specification and prevent it from 
requiring resources in Res. 

The semantics of the new operators for scheduled systems is defined in Fig- 
ure 8. The type of labels in the transition relation is the same as that of the 
transition relation in the process specification semantics of Figure 3 (hence, 
multisets in time transitions are resource requirement multisets). Since a pro- 
cess is a system by definition, all semantic rules of Figure 3 carry over to the 
semantics of systems. It should be understood that the variables ranging over 



[{Id-id = System, Jal.se, {CPU -1}), 

(Id.id = User, Id.id = System., {CPU —1})? {true, false, {Mem \ 




200})], i 



\{ Id.id — System, false, {CPU i— ^ —1}), 

(Id.id — System, false, {CPU — J-}}, 

(true, false, {Alem — 200})],t 

[{Id.id = User, Id.id = System, {CPU i— > —l}), 

(Id.id — User, Id.id = System, {CPU "1}), 

(true, false, {Alemi, f-a —200})],/: 



Fig. 6. Part of the transition system of scheduler Schi in Example 3 
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Sys ::= P \ {{Sys))g^ \ Sys ; Sys \ Sys || Sys \ Sys ||| Sys \ Sys + Sys \ 
dRes{Sys) I at{Sys) \ yX.Sys{X) \ id : Sys 



Fig. 7. Syntax of PARS, Part 3: Syntax of Scheduled Systems 



process terms in Figure 3, are in this case ranging over the more general class of 
system terms. 

The application operator {{Sys))g^ is defined by semantic rules (SysO)- 
(Sys2). In (SysO), the operator apply : Sys x M x M ^ P {M) is meant to 
apply a multiset of resource providing predicates (third parameter) to a mul- 
tiset of resource requiring tasks (second parameter) originated from a system 
(first parameter). The formal definition of this operator is the smallest function 
satisfying the following constraint: 

VmgM' M"aappiyTask{s,M,m,$)apply{S,M" ,M' - [m]) C apply {S , M , M') 

In this statement, apply Task (defined below) is meant to provide the set of 
possible outcomes of applying a single resource providing task m to the resource 
requiring multiset M (the forth parameter of apply Task is used to keep track of 
resource requiring tasks checked so far to receive the provided resource). This 
statement means that the application of a scheduler task to a multiset of process 
tasks is done by taking an arbitrary scheduler task and applying it to the multiset 
of process tasks and starting over with the rest of scheduler tasks. The function 
applyTask is the smallest function satisfying the following constraints: 

apply Task {S, m, M) A {0} 

N + N' £ applyTask{S, [(ids, p)] + M, {pred, npred, p), M'), 
where 

if pred{ids,M + M' + [(ids, p)])A 

-^engage{S, M + M' + [{ids, p)], {pred, npred, fi)) 

N = [(ids, max{Q, p -I- p)] A 

< N' £ applyTask{S,M,{pred,npred,min{li,'p + p)),M' + [{ids, p)]) 

otherwise 

N = [{ids,p)] 

N' £ applyTask{S, M, {pred, npred,])), M' + [{ids, p)\) 

The above expression states that if we pick a resource requiring task {ids,p) 
which satisfies the positive predicate (specified by pred {ids, M + M' + [{ids, p)])) 
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Sys^ Sys' Sd M” G apply {Sys, M, M') 
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Fig. 8. Semantics of PARS, Part 3: Applying Schedulers to Processes 



and the tasks in its context (including the picked task itself) cannot satisfy the 
negative predicate {~^engage{S, M + M' + [{ids, p)],{pred,npred,'p))) then we 
can grant the resources to this task and continue feeding the remaining tasks 
with the remaining resources. Otherwise, we leave this resource requiring task 
and proceed with the remaining tasks. In this expression, mm(0,p+ p) and 
max{0,p + p) are point-wise minimum and maximum of p(r) -|- p{r) with 0, 
respectively. The predicate pred{id, M) means that there exists a mapping from 
variables in Vi (set of id variables) to the semantic identifiers in M (particularly 
mapping W to a member of ids) which satisfies pred. The predicate engage is 
formally defined as follows: 

engage{S,M, {pred , npred ,p)) = ,t,S' ,ids,p,ui^ ^ ^ 

{ids, p) G M' A id G ids A npred{id, M') A 3r^Rp{r) > 0 A p(r) < 0 

This predicate checks if S can perform a transition with a resource requiring 
multiset M' that firstly, contains M (thus, extending the same group of tasks), 
secondly, there esdsts a task identifier id in it that can satisfy the negative 
predicate {npred{id, M'), defined in the same way as pred{id, . . .)) and the cor- 
responding task can potentially use the resources offered by p. To summarize, 
it checks for existence of a higher priority task in the context that can possibly 
consume the resources offered by the scheduler. 

Note that application of a scheduler to a system does not necessarily satisfy all 
resource requirements of the system. Since the transition system of a scheduled 
system is itself a process specification transition system, several schedulers can 
be applied to a system in a distributed (using parallel composition of several 
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schedulers) or hierarchical (using several levels of application operator) fashion 
in order to satisfy all its requirements. 

Rules (ER0)-(ER2) represent preventing the system from requiring resources 
of a certain type by using an encapsulation operator on a given set of resources 
(similar to the encapsulation construct for actions). 

Example 5 Consider the following process specification and the two different 
Earliest Deadline First (EDF) schedulers: 

Proc = 1 : (cTi(a, {CPU 1, Mem 100}(1))) 

2 : {a 2 {b, [CPU ^ 1, Mem ^ W0}{2))) 

EDFi = = xt)[CPU ^ -2,Mem^ -2m}{2)) ; X 

EDF 2 = = Xt)[CPU ^ -l,Mem ^ -100}(2)) ||| 

L,6K>o((W-^^ = Xt){CPU ^ -1, Mem ^ -100}(2))) ; X 



In the system d^cPU,Mem}i{{Pxoc )) the scheduler should start providing 
all available resources to task 1 for one unit of time, thus wasting one CPU 
and 100 units of memory. After that, available resources will be given to pro- 
cess 2. However, the process misses its deadline, since it needs 2 units of time 
to compute while its deadline has been shifted to 1 already. In contrast, system 
9{CPU,Mem}i{{Pf’oc)) ppp^) allows for a successful run. In this case, at the first 
time unit each of the two processes can receive a CPU and 100 units of memory. 
This is due to the fact that after providing the required resources of process 1 
by one of the basic schedulers, the other scheduler may assign its resources to 
process 2. It follows from the semantics that after applying one resource offer 
to process 1 the whole process cannot engage in a resource interaction with 
a deadline of less than 2 and thus process 2 can receive its required resources. 

This example helps us to realize that although scheduling policies such as 
earliest deadline first are assumed to be well-defined scheduling policies, formal- 
izing their definition shows that different flavors of them may exist in practice 
(especially with respect to multiple resources), some of which may perform better 
than others for different systems. 

5 Related Work 

Several theories of process algebra with resources have been proposed recently. 
Our approach is mainly based on dense time ACSR of [3]. ACSR [13, 12] is 
a process algebra enriched with priorities and specification of resources. Sev- 
eral extensions to ACSR have been proposed over time for which [13] provides 
a summary. The main shortcoming of this process algebra is the absence of an 
explicit scheduling concept. In ACSR, scheduling strategy is coded by means 
of priorities inside the process specification domain. Due to lack of a resource 
provision model, some other restrictions are also imposed on resource demands 
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of processes. For example, two parallel processes are not allowed to call for one 
resource or they deadlock. 

Our work has also been inspired by [4]. There, a process algebraic approach to 
resource modelling is presented and application of scheduling to process terms 
is investigated. This approach has an advantage over that of ACSR in that 
scheduling is separated from the process specification domain. However, firstly, 
there is no structure or guideline to define schedulers in this language (as [13] puts 
it, the approach looks like defining a new language semantics for each scheduling 
strategy) and secondly, the scheduling is restricted to a single resource (single 
CPU) concept. 

Scheduling algebra of [17] defines a process algebra that has processes with 
interval timing. Computing the possible start time of tasks (so-called anchor 
points) is the only aspect of scheduling that is taken into account and it abstracts 
from resource requirements/provisions. 

RTSL of [10] defines a discrete-time process algebra for scheduling analysis 
of single processor systems. The only shared resource in this process algebra is 
the single CPU. The restriction of tasks, in this approach, to sequential pro- 
cesses makes the language less expressive than ours (for example, in the process 
language a periodic task whose computation time may be larger than its period 
cannot be specified). Also, coding the scheduling policy in terms of a priority 
function may make specification of scheduling more cumbersome (similar to [4] ) . 

Timed automata, as a well-known specification method for timed systems, 
has been extended to cover the notion of resources and scheduling as well (see [9] , 
for example). Papers [16] and [11] are examples of an extension of untimed models 
with resources. 

Asynchrony in timed parallel composition (interleaving of relative timed- 
transitions) has been of little interest in timed process algebras. Semantics of 
parallel composition in ATP [15] and different versions of timed- AGP [2], timed- 
CCS [6, 7] and timed-CSP [8] all enforce synchronization of timed transitions 
such that both parallel components evolve concurrently in time. The cIPA of [I] 
is among the few timed process algebras that contain a notion of timed asyn- 
chrony. In this process algebra, non-synchronizing actions are forced to make 
asynchronous (interleaving) time transitions and synchronizing actions are spec- 
ified to perform synchronous (concurrent) time transition. This distinction is not 
necessary in our framework, since non-synchronizing actions may find enough re- 
sources to execute in true concurrency and synchronizing actions may be forced 
to make interleaving time transitions due to the use of shared resources (e.g., 
scheduling two synchronizing actions on a single CPU). 



6 Conclusion 

In this paper, we propose an approach to integrate the separate specifications of 
real-time behavior (including aspects such as duration of actions, causal depen- 
dencies, synchronization) and scheduling strategy in an integrated and uniform 
process algebraic formalism. This allows for formalizing scheduling algorithms 
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and benefiting from them in process algebraic design of systems as independent 
specification entities that influence the real-time behavior of the system. Our 
technical contribution to the current real-time and/or resource-based process 
algebraic formalisms can be summarized as defining a dense and asynchronous 
timed process algebra for resource consuming processes, providing a (similar) 
process algebraic language with basic constructs for defining resource provid- 
ing processes (schedulers with multiple resources) and defining application of 
schedulers to processes in an algebraic fashion. 

The theory presented in this paper can be completed/extended in several 
ways. Among those, axiomatizing PARS is one of the most important ones. As 
it can be seen in this paper, the three phases of specifications share a major 
part of the semantics; thus bringing the three levels of specification closer (for 
example, allowing for multi-level scheduling of a resource or allowing resource 
consuming schedulers) can be beneficial. Furthermore, applying the proposed 
theory in practice calls for simplification (e.g., to discrete time), optimization 
for implementation, tooling and experimenting in the future. 
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Abstract. The verification formalism / modeling and simulation lan- 
guage hybrid Chi is defined. The semantics of hybrid Chi is formally 
specified using Structured Operational Semantics (SOS) and a number 
of associated functions. The y syntax and semantics can also deal with 
local scoping of variables and/or channels, implicit differential algebraic 
equations, such as higher index systems, and they are very well suited 
for specification of pure discrete event systems. 



1 Introduction 

The hybrid x (Chi) language was originally designed as a modeling and simu- 
lation language for specification of discrete-event (DE), continuous time (CT) 
or combined DE/CT models (so-called hybrid models). The language and simu- 
lator have been successfully applied to a large number of industrial cases, such 
as an integrated circuit manufacturing plant, a brewery, and process industry 
plants [1]. For the purpose of verification, the discrete-event part of the language 
was mapped onto the x<r process algebra, for which a structured operational se- 
mantics was defined, bisimulation relations were derived, and a model checker 
was built [2] . In this way, verification of DE x models was made possible [3] . 

One of the goals of our research is the development of a hybrid verification 
formalism / modeling and simulation language with associated verification and 
simulation tools. The recent formalization of the x language, including the con- 
tinuous part, resulted in the x^h process algebra, described in this paper, and 
in a more elegant x modeling language. The x language now has the same op- 
erators, with the same semantics, as the Xa-t, formal language. The x modeling 
language extends Xa-t, with, among others, parameterized process and experi- 
ment definitions and instantiations. A straightforward syntactical translation of 
X to x<Th is described in [4]. 

The XcTh language is a hybrid process algebra, and is thus related to other 
hybrid process algebras, such as HyPa [5], the </>-Calculus [6], and hybrid for- 
malisms based on CSP [7], [8]. It is also related to hybrid Petri nets [9], hybrid 
I/O automata [10], hybrid automata [II], and to work derived from hybrid au- 
tomata, such as Charon [12] and Masaccio [13]. The main difference between 
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the X formalism and these other formalisms is that x is overall a more expres- 
sive formalism. Higher expressivity means either that certain phenomena can be 
modeled in x whereas they cannot be modeled in some other formalisms, or that 
certain phenomena can be modeled more concisely or more intuitively in x- Tho 
higher expressivity is a result of: 

1. The relatively large number of operators dedicated to modeling of discrete- 
event behavior. This makes it easy to abstract from continuous behavior 
and specify pure discrete-event models, without any continuous variables. In 
this respect, x much in common with the (^Calculus [6], and the hybrid 
formalisms based on CSP [7], [8]. 

2. The division of continuous variables into three subclasses. This allows for 
specification of steady state initialization, initialization of algebraic variables, 
consistent initialization of higher index systems, mode switches accompanied 
by index changes [14], and variables changing dynamically from differential 
to algebraic. In HyPa [5], such phenomena can in principle also be specified. 
HyPa, however requires a categorization of variables attached to every equa- 
tion, whereas in x this can be specified once, by means of a scope operator. 

3. The scope operator combined with parameterized process definition and in- 
stantiation that enable hierarchical composition of processes. In this respect, 
the X language is related to Charon [12], that allows components to be de- 
fined and instantiated. Local variables and variable abstraction are present 
in many formalisms. In y, however, the concepts of variable abstraction 
and channel abstraction (comparable with action abstraction in other for- 
malisms) are integrated in the scope operator, which also provides a local 
scope for the three classes of continuous variables and for recursive process 
definitions. 

Section 2 describes the syntax of the Xa^ language. In Section 3, the semantics 
of x<Th formally specified using a structured operational semantics (SOS) and 
a number of associated functions. Examples in Section 4 are used to illustrate 
the language. 

2 Syntax of the Xa-h Language 

A X( 7 h process is a triple (p,a,E), where p denotes a process term, a denotes 
a valuation, and E denotes an environment. A valuation is a partial function from 
variables to values (constants). Syntactically, a valuation is denoted by a set of 
pairs {xq co,...,x„ i— > c„}, where Xi denotes a variable and Ci its value. 
An environment is a five-tuple (i?r, Aj, Ap, Ac, Ar), where Ar,Aj,Ap denote 
sets of “normal” continuous variables, jumping continuous variables, and fixed 
continuous variables, respectively. In most models, the normal continuous vari- 
ables are used. The behavior of these variables depends on the way they occur in 
equations: a normal continuous variable that occurs differentiated or algebraic 
(not differentiated) behaves as a fixed continuous variable or as a jumping con- 
tinuous variable, respectively (see the semantics of function H in Section 3). All 
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variables must be in the domain of a. The variables that are not in any of the 
sets Ey,E},Ey are discrete. In the environment, Ec denotes a set of channel la- 
bels, and Eyi denotes a recursive process definition. A recursive process definition 
is a partial function from recursion variables to process terms. Syntactically, a re- 
cursive process definition is denoted by a set of pairs {Xq i— > po , . . . , Xm Pm}, 
where Xi denotes a recursion variable and pi the process term defining it. Pro- 
cess terms P in &re built from atomic process terms (AP) using operators 
for combining them: 

AP ::= skip | x := e | m\e \ mix \ u \ Ae-n 

P ■.:= AP \ X I h^P \P>P\ P\P \P®P 

\P^P\P\\P\\[ a,E\P ]\ \ d(P) \7 t{P) 

An informal (concise) explanation of this syntax is given below. Section 3 gives 
a more detailed account of their meaning. 

The process term skip represents an internal action. The value of variables 
can be changed instantaneously through assignments. An assignment is a process 
term of the form x := e with x a variable and e an expression. In principle, 
the continuous variables change arbitrarily over time. Predicates (u) are used 
to control these changes, i.e., a predicate restricts the allowed behavior of the 
continuous variables. In \ two types of predicates over continuous and discrete 
variables are allowed: (1) differential equations of the form rdei = rde 2 where 
rdei and rdc 2 are real-valued expressions in which the derivative operator may 
be used (e.g., x = —x + y), and (2) predicates in which the derivative operator 
may not be used (e.g., x > 0, y = 2x -I- 2, true). 

More complex process terms can be obtained by composing process terms 
by means of among others sequential composition (;), choice (0), alternative 
composition (|), parallel composition ( |j ) and guarding a process term p by a 
boolean expression b: b ^ p. The process term b ^ p denotes the process term 
that behaves as process term p in case the boolean expression b evaluates to true 
and deadlocks otherwise. 

Processes interact either through the use of shared variables or by syn- 
chronous point-to-point communication over a channel. By means of m!e, the 
value of expression e is sent over channel m. By means of mix a value is re- 
ceived from channel m in variable x. The acts of sending and receiving a value 
have to take place at the same moment in time. The encapsulation operator d 
is introduced to block internal send and receive events in order to assure that 
only their synchronous execution takes place. 

Some of the atomic process terms in £^re delay-able (sending and receiv- 
ing), others are not delay-able (skip, assignments). By means of the delay process 
term Ae^ a process can be forced to delay for the amount of time units speci- 
fied by the value of numerical expression 6n. By means of the maximal progress 
operator tt, execution of actions can be given priority over passage of time. 

The disrupt operator (>) is used for describing that a process is allowed to 
take over execution from another process even if that process is not finished yet 
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(this in contrast with sequential composition) . This is useful for describing mode 
switches and interrupts/disrupts. 

In X 7 two operators can be used for the purpose of describing alternative 
behaviors; the choice operator (0) and the alternative composition operator (|). 
The choice operator allows choice between different kinds of continuous behavior 
of a process, where the choice depends on the initial state of the continuous-time 
or hybrid process. The alternative composition operator allows choice between 
different actions/e vents of a process, usually between time-events, state-events or 
communication events of a discrete-event controller. In such a case, time-passing 
should not make a choice. The choice is delayed until the first action is possible. 

A scope process term \[ a,E | p ]| is used to declare a local scope. Here cr 
denotes a valuation of local variables, and E denotes a local environment as 
defined in the beginning of this section. 

The operators are listed in descending order of their binding strength as 
follows {;,—*■,!>},{©, I, II }. The operators inside the braces have equal binding 
strength. In addition, operators of equal binding strength associate to the left, 
and parentheses may be used to group expressions. 



3 Semantics of the Xa-i, Language 

In this section, the structured operational semantics (SOS) of Xa^ is presented. 
It associates a hybrid transition system [15] with a Xa-h process. 

3.1 General Description of the SOS 

The main purpose of such an SOS is to define the behavior of Xai, processes at 
a certain chosen level of abstraction. The meaning of a x<rh process depends on 
the values of the variables and on the environment. A set V of variables, and 
a set C of channel labels that may be used in Xa-h specifications are assumed. 
The values of the variables at a specific moment in time are captured by means 
of a valuation, i.e., a partial function from the variables to the union of the set 
of values A (containing at least the booleans B, and the reals M) and a “value” 
T (indicating undefinedness). The set of all valuations is denoted E: E = V i— > 
(AU {T}). The set T is used to represent points in time; usually T = K>o. The 
set of environments ES is defined as ES = V{V) x V{V) x V{V) x V{C) x RS, 
where V denotes the powerset function and RS = XS ^ P denotes the set of all 
partial functions of recursion variables XS to process terms P. The elements of 
an environment E € ES can be obtained by means of five functions: V G 
ES —>■ P{V), C G ES V{C), and TZ € ES —>■ RS. The function T is defined 

as T(£’r, Aj, Af, Ac, Ar) = Er- The functions J, T, C and TZ are defined in 
a similar way to the function T. The SOS is chosen to represent the following: 

1. instantaneous execution of discrete transitions: 

(a) _ ^ _ C (P X A X ES) X {At x E) x {P x E x ES), where At denotes the 
actions, and is defined as At = {a{m,c) \ a G {isa,ira,ca},m G C,c G 
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A\ U {r}. Here, isa, ira, ca denote action labels for internal send action, 
internal receive action and communication action respectively, m S C 
denotes a channel, c G A denotes a value, and r is the internal action. 

The intuition of a transition {p,a,E) ,E) is that the process 

(p, CT, E) executes the discrete action a G At and thereby transforms into 
the process (p',a',E), where a' denotes the accompanying valuation of 
the process term p' after the discrete action a is executed. 

(b) _ ^ C (P X 17 X ES) X {At X 17) X (17 X ES). The intuition of a 

transition (j>,a,E) > {/,a',E) is that the process (p,a',E) executes 

the discrete action a and thereby transforms into the terminated process 

(/,a',P). 

2. continuous behavior: _-w_C(Pxl7x ES) x ((T i— > 17) x T) x (P x 17 x ES). 
The intuition of a transition (p,a,E) ^ {p' ,<;{t),E) is that the variables in 
dom(cr) behave (continuously) according to the trajectories in c until (and 
including) time t and then result in the process (p',^(t),P), where c(t) G 17 
is the valuation at the end point t of the trajectory <r. 

These relations and predicates are defined through so-called deduction rules. 
A deduction rule is of the form where iJ is a number of hypotheses separated 
by commas and r is the result of the rule. The result of a deduction rule can 
be derived if all of its hypotheses are derived. In case the set of hypotheses is 
empty, the deduction rule is called a deduction axiom. The notation , where R 
is a number of results separated by commas, is a shorthand for a deduction rule 
for each result r S P. In order to increase the readability of the Xa-^ deduction 
rules, some abbreviations are used. The notation 



(pi,ai,Ei) 



oi.ctJ 




5 {Pm ^ ; Ern) 



(r, a, E) 



b,(r' 





c 



where qj^,Si G PU {/} and C denotes an optional hypothesis that must be 
satisfied in the deduction rule, is an abbreviation for the following rules (one for 
each i)\ 



{pi,ai,Ei} 



; {Pm^CTrmEm) 



{q-mi, Ern) , C 



(r,a,E) (si,a',E) 



Based on [10] we use the following definitions of operators U, [, and | applied 
on functions. If / is a function, dom(/) and range(/) denote the domain and 
range of /, respectively. If P is a set, / f S' denotes the restriction of / to S, 
that is, the function g with dom(p) = dom(/) n S, such that g{c) = /(c) for each 
c G dom(p). 
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If / and g are functions with dom(/) n dom(g) = 0, then f U g denotes the 
unique function h with dom(/i) = dom(/) U dom( 5 ) satisfying the condition: for 
each c S dom(/i), if c S dom(/) then h{c) = /(c), and h{c) = g{c) otherwise. 

If / is a function whose range is a set of functions and S' is a set, then / | S 
denotes the function g with dom(g) = dom(/) such that g{c) = /(c) f S for each 
c G dom(g). If / is a function whose range is a set of functions, all of which have 
a particular element d in their domain, then fid denotes the function g with 
dom((/) = dom(/) such that g{c) = f{c){d) for each c G dom(g). 



3.2 Deduction Rules 

Atomic Process Terms: For the deduction rules of the atomic process terms, 
it is assumed that T{E),J{E),T{E) C dom(cr), m G C{E), x G dom(cr), and 
d-(e),o-(en),c G A. 

Rule 1 states that the skip process term performs the r action to the termi- 
nated process / and has no effect on the valuation or environment. 

The execution of the assignment process term x := e (see Rule 2) leads to 
a new valuation where all variables are unchanged except for variable x. CT[(t(e)/a:] 
denotes the update of valuation a such that the new value of variable x is d(e), 
which denotes the value of e with respect to a. Internal send and receive process 
terms are intended to be used in parallel composition (see Rule 25) . The value of 
expression e which is sent via channel m is evaluated in valuation a (see Rule 3). 
The receive process term mix can receive any value c (see Rule 4). 



(skip,cr,F;) ^ (/,cr,£;) {x:=e,a,E) 



T,(r[cr(e) / x\ 



{/ ,a[a{e)/x],E) 



, , isa{m,CT(e)),CT , , , , ira{rn,c) ,tT{c / , r / 1 IP\ 

{m\e,a,E) > ,a,E) {mlx,a, E) > (V ,a[c/x\,E) 



The predicate process term can perform a time transition for all trajectories 
c for predicate u as defined by Rule 5. 



Gn{a,r{E),J{E),E{E),u,t) 



{u,a,E} (u,‘;{t),E) 



Function ft e S x V{V) x V{V) x V{V) xU xT ^ V{T ^ E), where U 
denotes the set of all predicates , returns a set of trajectories from time to 
a valuation for the variables, given a valuation representing the current values of 
the variables, a set of normal continuous variables, a set of jumping continuous 
variables, a set of fixed continuous variables, a predicate and a time point that 
denotes the duration of the trajectory. Formally, the function is defined as: 
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ri(cr, Fe, Je, Fe, u, d) = 

{ c,' i dom(a) 

I <?' G ((y UF') A) 

, dom(<j') = [0, d] , d > 0 

; '^cr^Grange((^^) 

; '^0<t<d, a;Gdom(cr)\(/^EU J eU-Fe) 
, '^xe{V{u)\JE)UFE 
; '^xG{rEUjE^FE)\'D{u) 



dom(cr') = dom(CT) U {x' \ x G F{u)} 

(^' i x)[t) = a{x) 

W i a;)(0) = cr(a;) 

<r' J, X is a bounded function that is continuous 
almost everywhere. 

<r' I x' is a bounded function that is continuous 
almost everywhere. 

W i x){t) = (c' i x)(0) + /q (c' i x'){s)ds 





In lines 5 and 6 of the body of function fl, it is assumed that the value of x is 
defined (cr(x) G A). Function T) G U ^ extracts the differential variables 

from a predicate. E.g. 'D{x = y) = {y}- Function G U ^ U' replaces every 
occurrence of the derivative x of a variable with name x in a predicate u G U hy 
a fresh variable x' G V that has the same name as x postfixed with the prime 
character. The set V is defined as E' = {x' | x G E}, and U' denotes the set 
of predicates on variables x G E and x' G V . For example, the application of 
function 7^ to the equation x = —y+z gives the equation x' = —y + z'. 

The behavior of each variable x is described by a function of time <;' I x. 
The behavior of the discrete variables x G dom(cr) \ (F^; U U F^) is specified 
by constant functions {'^o<t<d i x){t) = cr(x)). The initial conditions of 
the non-jumping differential variables x G F>{u) \ Je and the fixed continuous 
variables x G Fe are specified by (c^' J, x)(0) = cr(x). The behavior c' i x of the 
algebraic variables x G (Fg U U Fe) \ F>{u) and the behavior <;' J, x' of the 
derivatives (x' such that x G F>{u)) is a bounded function (not set- valued) that is 
continuous almost everywhere (except for a set of measure zero) . The trajectory 
c' satisfies the predicate for all time points of its domain (Vo<t<d i'(i) h 
The function i x of a differential variable x G F>(u) is the integral of the 
function i x' of its derivative. 

For a normal continuous variable x ^ (Je U Fe), its occurrence in u as dif- 
ferential (occurring differentiated in u) or algebraic (not occurring differentiated 
in u), determines the behavior of the variable at the beginning of a time tran- 
sition. I.e. in time transitions at t = 0, differential variables may not behave 
discontinuously (i.e. may not jump so that (c^ J, x)(0) = cr(x)). Algebraic vari- 
ables, on the other hand, may show discontinuous behavior at t = 0, so that for 
these variables (c' i x)(0) may be different from cr(x). In some cases, differential 
variables may jump. This is, for example, the case in steady state initializations 
(x = 0). E.g. in X = —X -I- 1 II X = 0, where x G Je, (<i' I x)(0) jumps to 
1, independently of cr(x). The set of fixed continuous variables Fe is needed 
in cases where algebraic variables need to be initialized. For example consider 
X = f(x,y,z) \\ y = g(x,y,z) || h(x,y,z) = 0. Normally, x and y are initialized. 
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and the value of z is then determined by the equations. If, for example, the mod- 
eler would prefer to initialize variables x and z, so that the value of y is then 
determined by the equations, the sets Fe and Je should be such that z G Fe 
and y G Je- Such initializations are common in, for instance, chemical systems. 

<;GQ.{G,V{E),J{E),T{E),Xrne,t) ^ c £ ^{o,V{E),J{E),E{E),true,t) ^ 
{m\e,cr,E) ^ E) {m7x,a, E) ^ E) 

g-(en) = 0 g 0 <t < g-(en), C £ Gl{a,r{E),J{E),E{E),trne,t) ^ 

{Acn, C, E) (/ , a, E) {Ae^, a, E) ^ {Aa(en) — t, q{t), E) 

Rules 6 and 7 state that m\e and mix can perform any time transition 
that satisfies c G Ft{a,T{E),J{E),T{E),trvLe,t). The predicate true does not 
restrict the continuous behavior of the (continuous) variables. 

The delay process term specifies a certain amount of delay. The full amount 
of delay does not have to be performed in one transition (see Rule 9). Note that 
(r(en) denotes the value of expression Cn with respect to valuation a before the 
delay. In case that the amount of delay is zero, the delay process term terminates 
with an internal action as defined by Rule 8. Since there are no rules for the case 
that the amount of delay is negative, such a delay leads to deadlock. 



Recursion Variable: Recursion is used among others to model repetition. The 
recursion variable X simply behaves as the process term given by TZ{E)(X). Here 
TZ{E){X) is the process term that is defined for recursion variable X in recursive 
process definition TZ{E). It is assumed that X G dom(77(£’)). 



{TZ{E){X),a,E) 






,E) 



{n{E){X),a,E) (p',<;it),E) 



(X,a,E) 






10 



,E) 



{X,a,E)^G^ {p',^{t),E} 



11 



Guard Operator: In case that the guard b evaluates to false (i.e. a |= ^6), 
there are no transitions. In case that the guard evaluates to true (i.e. cr |= 6), 
the guarded process term simply behaves as p. 



(p,a,E) i'^,,a',E), a \= b 

(b^p,a,E)^{'^,,a',E) 



{p, a, E) ^ ip', ^(t),E) , a \=b 
(b^p,a,E) ^ (p',<;{t),E) 



Sequential Composition Operator: The sequential composition of the pro- 
cess terms p and q behaves as process term p until p terminates, and then 
continues to behave as process term q. 



{p,a,E) ^ i'^,m',E) 

^ 

(p-q,a,E) { J a\E) 

P 1 y 



(p,(j,E) (p',<;{t),E) 

{p;q,a,E) {p' ■ q,q{t), E) 
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Disrupt Operator: The disrupt operator p\> q is introduced to model a kind 
of sequential composition, where the process term q may take over execution 
from process term p at any moment, without waiting for its termination. 



(p,a,E) 

(P > g, cr, E) 

(q,a,E) l/^,a\E) 

{p [> q, a, E) ^ , cr', £) 



{P,(7,E) {p',<;{t),E) 

{p > q, a, E) {p' r> q, <;{t),E) 



{q,a,E) (q',^{t),E) 

{p\> q,a,E) {q',q{t),E) 



Choice Operator: The effect of applying the choice operator to the process 
terms p and q is that the execution of a transition by either one of them results 
in a definite choice. 



{p,a,E)^{'^,,a',E} 

{p®q,a,E) {'^,,a',E), (q®p,a,E) {'^,,a',E) 

{P,(^,E) (p',<;{t),E) 2 

{p © q, a, E) {p', <i{t),E ) , (q © p, a, E) 54 (p', q(i), E) 



Alternative Composition Operator: The action behavior of the alternative 
composition operator is equal to that of the choice operator (see Rule 22). The 
weak time-determinism principle is adopted for the time transitions. This prin- 
ciple means that the passage of time by itself cannot result in making a choice 
between two alternatives that can perform that time transition with the same 
trajectory q and the same time step t. This is captured in Rule 24. Rule 23 states 
that if one of the two process terms p and q can perform a time transition and 
the other cannot, then the alternative composition can also perform that time 
transition, but loses the alternative that could not perform a time transition. 

{p,a,E) ^ {'^,,ct',E} 

E 22 

(p I q,a,E) i'^,,a',E), (q | p,a,E) {'^,,a',E) 

5-4 (p',q{t),E), {q,a,E) 

(p I q, a, E) 54 (p', <;{t),E) , (q | p, a, E) 54 (p', ^(t), E) 

(p,fT,E) 54 (p',q{t),E), {q,a,E) 54 (q',q{t),E) 

(p [ q,o,E) 54 (p' [ q',q{t),E) 
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Parallel Composition Operator: The parallel composition of the processes p 
and q has as its behavior with respect to action transitions the interleaving of 
the behaviors of p and q (see Rule 26) . The time transitions of the parallel com- 
position of two process terms have to synchronize to obtain the time transition 
(with same trajectory ^ and the same time step t) of their parallel composition 
as defined by Rule 27. The parallel composition allows the synchronization of 
matching send and receive actions. A send action isa{m, c) and a receive action 
ira{m' ^ c') match iff m = m' and c = c' (i.e. the channels used for sending and 
receiving are same, and also the value sent and the value received are identical). 
The result of the synchronization is a communication action ca(m, c) as defined 
by Rule 25. 



/ 



[p, a, E) > ( ^,a ,E ) , [q,a ,E) > \q'’ 

p' q 



/ 



{P II 9,0-, E) 



/ \ 1 1 

ca(m,c;,£T 



/ 

p' 



p' II q' 



j ) , {(? II P,o,E) 



/ \ ^ f 

ca\m,c),ij 



■ 25 



// 771 

/ ,c- 



q' II p' 



{p,a,E) ^ 
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{p II q, a, ^ ^ , a', £) , {q || p,a,E)^{^ , a’, E) 



(j),a,E) {p',q{t),E), {q,a,E) ^ (q',q{t),E) 

{P II q,(^,E) {p' II q',<;{t),E) 



Scope Operator: By means of the scope operator, local variables (option- 
ally with an initial value) and a local environment can be introduced in a Xa-h 
process. The application of the scope operator to a process p results in the 
behavior of the process p after the addition of the local variables (in fact the 
valuation for the local variables) to the global valuation (/r(cr, CTs)), and the ad- 
dition of the local environment to the global environment Eg)). Function 

p G E X S ^ E merges two valuations. If cr, a' G E, p{a, a') denotes the valua- 
tion cr" with dom(cr") = dom(cr) U dom(cr'), such that yx^dom(a') = E{x) 

and Va;g<iom(cr)\dom(cr') E' {x) = o{x). Function pe G ES X ES ES merges two 
environments. It is defined as peIe,Es) = (T {E) UT (Eg) , J (E) U J {Eg) , E (E) U 
E{Eg),C{E) \JC{Eg)^ pE,{E.{E),'lZ{Eg))). Function p^ G RS x RS —>■ RS merges 
two recursive process definitions. If R, R' G RS, pr{R, R') denotes the re- 
cursive process definition R” , with dom(R") = dom(i?) U dom(R') such that 
^xGdom{R') R i^') ~ R (^) 'ind Va;^dom(/J)\dom(i^^) R {E) — R{x) . 

The scope operator is also used for abstraction: action abstraction and 
data abstraction. The skip and assignment actions are internal (r) actions al- 
ready. The internal send and receive actions on a local channel are encapsulated 
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(blocked). Therefore, they need not be abstracted. The only action that needs to 
be abstracted by substitution of a r action (action abstraction) is the commu- 
nication action ca{m,c) via a local channel m € C{Es) (see Rule 28). Function 
ch e At- ^ C U {T} extracts the channel label from an action. It is defined as 
ch(a(m, c)) = m and ch(r) =T. 

The changes of local variables are abstracted (made invisible) outside 
the scope operator, by removing them from the transition arrow. For ac- 
tion transitions, data abstraction is defined using a^s, where denotes 
/x(cr, cr' I" (dom(cr) \ dom((Ts))), as shown in rules 28 and 29. The changed val- 
uation of local variables is stored in the local valuation (cr' |" dom(cTs))- 

For time transitions, data abstraction is defined using <;o-, where (To- 
denotes c i (dom((r) \ dom(cTs)) U <Jcorr- The correction function Ccorr 
specifies the continuous behavior of the variables in the start valuation 
that were redefined in the local valuation tTg- It is defined as i^corr G 
n(cr I" dom((Ts),F(iJ) n dom(CTs), >7(if) n dom(tTs), ir(i5) n dom(CTs), true, t) (see 
Rule 30). 



{p,fi{a,a,),iiE{E,E.)) , a' , iie{E , Es)) , m £ C{E,) 






/ 



28 



|[ a' \ dom{as),Es | p' ]| 



,E) 



{p,p{a,a.),PE{E,E,)} ^ (^, , a', me(S, -E,)) , ch{a) ^ C(E.) 
(|[ a.,E.\pla,E)^{^^^, ^ dom{a.),E. | p' ]| ’ 



29 



{p,p{a,a^),fj,E{E,E^)) ^ {p' p^jE, E^)) 

a^,Es I p]\,c^,E) '-34* (|[ ^(t) f dom(o-s),Fis | p' ]\,<;a{t),E) 



30 



Encapsulation Operator: The behavior of the encapsulation of a process d{p) 
is the same as the behavior of the process argument p with the restriction that 
only actions from the set = {ca(m, c) | m € C, c S A} U {r} can be executed 
(see Rule 31). In this way, internal send actions isa(m,c) and internal receive 
actions ira(m, c) are blocked, and only communication actions ca{m, c) and r 
actions are allowed. Encapsulation has no effect on time transitions, as defined 
by Rule 32. 



{p,a,E) > {'^,,a',E), £ Ax 



{d{p),a, E) 






31 



{p,a,E) {p',q{t),E) 

{d{p),a,E)i4 (d{p'),<;{t),E) 



Maximal Progress Operator: The maximal progress operator gives action 
transitions a higher priority than time transitions. Rule 33 states that action 
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Fig. 1. Dry friction 



behavior is not affected by maximal progress. Time transitions are allowed only 
if it is not possible to perform any action transitions as defined by Rule 34. 



{■K{p),a, E) , a', E) 



{p,a,E) ^ (p',^{t),E), {p,a,E) 
{n{p),a,E) {TT{p'),<;{t),E) 



For all Xo-jj operators, strong (state-based) bisimulation has been proven to 
be a congruence. 



4 Examples 

The two examples in this section are related to the kind of hybrid systems that 
can be modeled by means of hybrid automata and related formalisms. This 
makes it easier to become familiar with Xo-h specifications. In practice, however, 
a modeler would specify models in the x language, which has a more user-friendly 
syntax for the scope operator. 

4.1 Dry Friction Phenomenon 

A driving force is applied to a body on a fiat surface with frictional force F{ 
(Figure 1). When the body is moving with positive velocity v, the frictional force 
is given by Fi = /tTn, where Fn = 'mg- When the velocity of the body is zero and 
I Ad I < /.to An, the frictional force neutralizes the applied driving force. Instead 
of locations (hybrid automaton), x uses recursion variables to specify the modes 
“neg”, “stop”, and “pos”. The mode “stop” requires that v is initially 0. The 
mode “stop” is maintained for as long as the parallel composition (?; = 0 ^ 
= 0 II — /toAn < Ad < p-oFn) can delay. Otherwise, the process term (Fd < 
— /toAN ^ neg 0 Ad > /xoAn — *■ pos) after the disrupt operator [> takes over. 
The choice operator 0 specifies that either process term Fd < — /xoFn ^ neg 
or Fd > p-oFn pos is executed. Therefore, depending on the value of Fd, either 
the process term specified by recursion variable (mode) neg or pos is executed. 
The mode “pos” is maintained until condition z; < 0 A Fd < /zoAn becomes true. 
In X, action transitions have priority over time transitions. Therefore, when z; < 0 
and Fd < /zqAn, the process term skip is enabled and is immediately executed. 
Subsequently the mode “stop” is executed again. Symbols m, Fn, go, g, xq 
and Vo are constants. 
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( ^(|[ 0 , ( 0 , 0 , 0.0 

, { stop (n = 0 ^ n = 0 II — po-Fn < Fd < poFk) 

>( Fd < -moF'n — » neg © Fa > noFjsi pos ) 
, pos 1 -^ (w > 0 II mi) = Fd — nFj<i) 

l> (v < 0 A Fd < PoFn — > skip; stop) 

, neg (n < 0 II mi) = Fa + /tFn) 

> (v > 0 A Fd > — /xoFn — > skip; stop) 

} 

) 

I Fd = sin(t) II t = 1 II X = v II (neg © stop © pos) 

]|) 

, {t 0, X xo.iM-^ no.Fd ({t,x,n,Fd},0,0,0,0) 

> 



4.2 Railroad Gate Controller 

In [16] a railroad gate controller is modeled using a hybrid automaton. When 
a train approaches the gate the controller must close the gate. The controller 
has a reaction delay of a time units. After the train has passed the gate the 
controller must open the gate. The purpose of the model is to determine the 
value of a, to ensure that the gate is always fully closed when the train is at 
a certain distance from the gate. 

A formal specification of the railroad gate controller using Xo-h is given below. 
Channels approach , exit , open and close are used for pure synchronization, 
no data is communicated. The train, gate and controller are modeled using 
different scopes. The scope process term modeling the train consists of a parallel 
composition of an infinite loop (*(. . .)) and an equation (i = v). The velocity 
of the train can be any function of time between 40 and 50. The process waits 
until the train has reached position x = 1000 and then synchronizes with the 
controller {approach !). The train is now approaching the gate. If the train has 
reached the exit position x = 2100, the train synchronizes with the controller, the 
position X of the train is reset to zero {x := 0), and the loop is re-executed. The 
train is now past the gate. The scope process term modeling the gate consists of 
a parallel composition of an infinite loop and an equation (</> = n). The infinite 
loop is an alternative composition of four process terms. The first process term 
waits until the gate is closed (</> = 0) and then turns off the gate. The second 
process term waits until the gate is open {4> = 90). The third and fourth process 
term wait for synchronization with the controller in order to open or close the 
gate {open? and close? respectively). The four process terms delay in parallel 
until one of the four events (V<^ < 0, > 90, open ?, close ?) takes place. The 

controller consists of an infinite loop. It tries to synchronize with the train, in 
order to open or close the gate {approach ? and exit? respectively). The constant 
a is used to model the reaction delay in the controller. After a time units {Aa) 
the controller synchronizes with the gate, and the loop is re-executed. In the 
specification, some abbreviations are used which are listed in the table below. 
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Abbreviation 


Meaning 


* P 


|[0,(0,0,0,0,{A^p;A})| A]| 


Vx > e 


®<e[>(a;>e— » skip) 


Vx < e 


x>e[>{x<e^ skip) 


m! 


mitrue 


m? 


[ {x h^T}, (0, 0, 0, 0, 0) m?x ] 



{ n{d{ |[ {^^±}.(W.0,0,0.0) 

I a; = V II *( (40 < < 50 | V® > 1000); approach ! 

; (30 < w < 50 I \7x > 2100); exit\-, x ~Q 
) 

]l 

II II {n^O}, (0.0, 0,0,0) 

I 0 = n II *( n < 0 — > (V0 <0; n := 0) 

I n > 0 — > (V0 > 90; n := 0) 

I open ?; n := 9 
I close ?; n := — 9 
) 



II *( approach?-, Aa-, close \ | exit?; Aa; open! ) 

)) 

, {x i—> 0, (f) i—> 90}, ({a:, cf)}, 0, 0, {approach, exit, open, close}, 0) 

) 



5 Conclusions and Future Research 

The semantics of the hybrid x language has been formally specified using a rel- 
atively small set of deduction rules and associated functions. The language is 
highly expressive and can be used to specify a wide range of systems, includ- 
ing pure discrete-event systems, systems with local scoping of variables and/or 
channels, and systems of implicit algebraic differential equations. Future work 
entails the extension of the discrete-event \ verification tool to enable verifica- 
tion of hybrid models. Furthermore, the hybrid x simulator will be redesigned 
to correspond to the new syntax and formal semantics. 
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Abstract. Hard Real-Time systems are subject to stringent timing con- 
straints, which result from the interaction with the surrounding physical 
environment. The provider of the system has to guarantee that all timing 
constraints will be met. Such a guarantee is typically given by success- 
fully executing a schedulability analysis. A schedulability analysis of a set 
of tasks requires the worst case execution times (WCET) of the tasks to 
be known. Since in general the problem of computing WCETs is not 
decidable, estimations of the WCET in form of upper bounds have to 
be calculated. The upper bounds always exist, since real-time programs 
don’t allow unbounded iteration or recursion. These upper bounds are 
still called the worst case execution times of the tasks. The estimations 
have to be safe, i.e., they may never underestimate the real execution 
time. Furthermore, they should be tight, i.e., the overestimation should 
be as small as possible. 

In modern processor architectures, caches, pipelines, and different kinds 
of speculative execution are key features for improving performance. Un- 
fortunately, they make the prediction of the behaviour of instructions 
very difficult since this behaviour now depends on the execution history. 
Therefore, most classical approaches to worst case execution time pre- 
diction are not directly applicable or lead to results exceeding the real 
execution time by orders of magnitude. 

We split the analysis into a set of subtasks: Value Analysis, Cache and 
Pipeline Analysis, and Worst-Case Path Determination. Value analysis 
attempts to determine the values in registers for each program point in 
order to statically compute Effective Addresses normally known only at 
execution time. Effective addresses are needed for the data cache analysis. 

Cache Analysis predicts the instruction and data cache behaviour of the 
program, and Pipeline Analysis predicts the pipeline behaviour. These 
three analyses are all done by Abstract Interpretation. 

The essential idea is the following: The execution of an instruction or even 
a single memory access or a pipeline phase during the execution of an 
instruction can contribute different costs to the program’s execution time 
depending on the execution history. All non-optimal executions of an 
instruction or part of an instruction we will consider as Time Accidents. 

We then regard Safety Properties being the absence of time accidents at 
individual instructions. Abstract Interpretation is then used to verify as 
many of such safety properties as possible. Any verified safety property 
allows the reduction of the WCET. 

* Work supported by project IST-2001-34820, Advanced Real-Time Systems 
(ARTIST) 
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The final step of the run-time prediction is Worst-case Path Analysis. It 
solves an Integer Linear Program (ILP) expressing the program control 
flow and taking into account the predicted maximum number of machine 
cycles for each Basic Block of the program. Maximizing an objective 
function expressing the total number of machine cycles for each program 
path yields an upper bound of the program’s execution times. 

WCET tools have been implemented for several processors [2, 3, 1] and 
are now being used in the aeronautics and the automotive industries [4] . 
Benchmarks have shown that very tight bounds on the execution times 
can be derived by the techniques mentioned above. 
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Abstract. We give a new discretization of behaviors of timed automata. 
In this discretization, timed languages are represented as sets of words 
containing action symbols, a clock tick symbol 1, and two delay sym- 
bols 5~ [negative delay) and 5'^ [positive delay). Unlike the region con- 
struction, our discretization commutes with intersection. We show that 
discretizations of timed automata are, in general, context-sensitive lan- 
guages over X’U{1,(5’'",(5“}, and give a class of automata that equals the 
class of languages that are discretizations of timed automata, and show 
that their emptiness problem is decidable. 



1 Introduction 

Timed automata [AD94] are a successful and widely used extension of finite 
automata for modeling real-time systems. They are finite automata endowed 
with clocks that measure time passage. Clocks are real- valued variables and 
evolve synchronously at rate 1. Transitions are guarded by arithmetic conditions 
on the clocks, and some transitions might reset some clocks to 0. 

The essential construction for timed automata is the region construction, a fi- 
nite abstraction of the infinite state-space of the automaton. This abstraction 
preserves emptiness and is the basis of both theoretic results concerning monoid 
recognizability, and of tools for model-checking timed systems [Yov98, LPY97]. 
Recently, researchers have shown interest in laying the foundations of a formal 
timed language theory. Some important progress has been reported on adapt- 
ing regular expressions to timed automata [BP99, BP02, ACM02, ADOS], on 
adapting monoid recognizability to timed languages [BPTOl], and on pumping 
lemmas for timed languages [Her98, Bea98]. 

The research reported here has started from the observation that the region 
construction is not compositional w.r.t. intersection. That is, the region automa- 
ton of an intersection of languages of two timed automata is not the intersection 
of the region automata of the two timed automata. E.g., take the timed languages 

Li = {ha t 2 I h,t2£]0,l[} = ||(t)]o,i[(at)]o,i[||, 

L 2 = {tia t 2 \ ti + t 2 G]1, 2[} = II (to t)]]^ 2 [|| 
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Here we have used timed regular expressions similar to [ACM02], in which t 
represents time passage and the time binding construction {E)i requires that 
each behavior generated by expression E be observed within the interval I. The 
following figure gives the region constructions for these languages: 

0 ] 0 , 1 [ 1 ] 1 , 2 [ 

A 2 ■ 

0 ] 0 , 1 [ 1 ] 1 , 2 [ 

The classical “intersection construction” applied to Ai and A 2 does not yield 
a region automaton for the timed language LinL 2 - Rather, we need to construct 
first a timed automaton for L\ H L 2 and then to discretize it into a region 
automaton. 

We present here a different discretization for timed automata, as (sets of) 
words over an alphabet containing action symbols, “clock tick” symbols and two 
special symbols d~ and (5^ denoting positive, resp. negative delay. The delay 
symbols give some information about how to “skew” a sequence of clock ticks 
with some positive or negative delay, in order to obtain dense-time behaviors 
from a discrete-time information. They have a “nonarchimedian” semantics, in 
the sense that the semantics of any number of positive delays is smaller than 
one clock tick. In other words, clock ticks are used for quantitative timing infor- 
mation, while delay symbols give a qualitative timing information, as they only 
“alter” the information provided by clock ticks. We show that this discretization 
produces context-sensitive languages, fact which may give another explanation 
for the undecidability of the universality problem for timed automata. 

We then investigate a class of automata that is suitable for representing 
discretizations of languages of timed automata. Our automata, called here os- 
cillator automata, have the ability to add positive and/or negative delays, and 
to say whether the result is a positive or a negative delay. However they are 
not able to count delays. We show that this class of automata has a decidable 
emptiness problem, and that the class of languages that are discretizations of 
timed automata equals the class of languages accepted by oscillator automata. 

The paper is divided as follows: in the next section we remind the notions 
of timed automata and timed regular expressions. In the third section we give 
the semantics of our discretization, and several basic properties they have. In 
the fourth section we introduce oscillator automata and show the decidability 
of their emptiness problem. The fifth section gives the results concerning the 
connection between oscillator automata and timed automata. 

2 Preliminaries 

Behaviors of timed systems can be modeled by timed words over a set of 
symbols E. Two presentations can be given to (most of the) timed words, one 
being as sequences of symbols from E with time stamps, the other as mixed se- 
quences of symbols from E and real numbers. For example, (a, 3)(6, 3.1) and 
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12a0.1& represent the same timed word. A special case occurs when time 
elapses after the last action - it is the case of the timed word 3 a 1 & 1 . We 
will then associate to this the time stamp sequence (a, 3)(&, 4)(e, 5), hence ac- 
cepting that the last tuple in a time stamp sequence be labeled with the empty 
word. The untiming of a timed word is the sequence of actions in it. Renam- 
ings can be defined on timed words in the straightforward way: for example, 
[a 1 -^ 6](a, 3)(6, 3.1) = (6, 3)(6, 3.1). Finally, the length of a timed word w is the 
time stamp of the last symbol in w, or, equivalently, the sum of the real numbers 
in it. Hence, 3)(6, 4)(e, 5)) = £(3 a 1 6 1) = 5. 

A timed automaton [AD94] is a tuple A = {Q,X,E,S,Qo,Qf) where Q 
is a finite set of states, A is a finite set of clocks, if is a finite set of action 
symbols, Qq, Qf^Q are sets of initial, resp. final states, and 5 is a finite set of 
tuples {transitions) {q,C,a,X,r) where q,r G Q, X C X, a G S U {e} and C 
is a finite conjunction of clock constraints of the form x G I, where x G X and 
/ C [0,oo[ is an interval with integer (or infinite) bounds. For each transition 
{q, C, a, X, r) G S, the component C is called the guard of the transition, a is 
called the action label of the transition, and X is called the reset component of the 
transition. We consider X = {xi, . . . ,Xn}, and identify each reset component X 
with {i \ i G [l...n],Xi G A}. Here [l...n] stands for {l,...,n}, and, in 
general, we denote [i . . . j] = {i, f -I- 1, . . . ,j} for any i,j G Z. 

The semantics of a timed automaton is given in terms of a timed transition 
system T{A) = (Q, 0, Qo,Q/) where Q = Qx]R>o, Qo = Qo x {0„}, Q/ = 
Qy xM>q and 

e= {{q,v)^ {q,v') \v'i = v^ + t, Vi € [1 . . .n]}u 

{(g, v) {(f , v') I 3{q, C, a, X, q') G S s.t. v \= C and Vi € [1 . . . n], 
if i G X then v{ = 0 and if i ^ A then v{ = Vi} 

A run in T{A) is a finite chain {q°,v°) {q^,v^) ... {q^,v^) of 

transitions from 9. An accepting run in T'{A) is a run which starts in Qo £^nd 
ends in Qf. The accepted language of A is the set of timed words which label 
some accepting run of T{A). Two timed automata are called equivalent iff they 
have the same language. Note that we work here with finite runs. 

The class of timed regular expressions is built using the following gram- 
mar: 



E ■.■= Q \ e \ tz \ E + E \ E ■ E \ E* \ {E)i \ E^E \ [a^ z]E, (1) 

where z € A U {e} and / is an interval. Their semantics is as follows: 



||tz|| = {tz\tG K>o} 
\\E^■E2\\ = \\E^\\■\\E2\\ 

pi = pir 

IIA1AA2II = \\Ei\\n\\E 2 \\ 



I|Ai + £;2|| = ||Ai||u||f;2|| 
\\{E)\\j = {wG\\E\\\i{w)Gl} 

I|O|| = 0, lkll = M 

II [a 1 -^ z]E\\ = {[a 1 -^- z]w \ w G || A||} 
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Theorem 1 ([ACM02]). The class of timed languages accepted by timed au- 
tomata equals the class of timed languages which are the semantics of some timed 
regular expression. 

3 Nonarchimedian Delays 

The basic idea that we exploit is that timed words represented by timed au- 
tomata can be grouped into regions (the name shows the similarity to the regions 
of [AD94]). An n-dimensional region is a nonempty subset of M>o" which repre- 
sents the solution to a constraint of the form A x, — Xi G la, where Lh 

' '0<i<j<n 

is either a point interval or an open unit interval, and xq = 0. 

Remark 1. [Dini02] The constraint /\ Xj — Xi G lij has a nonempty se- 

mantics iff for all i < j < k, Iij-\-Ijk 3 hk- This set of inclusions is called the 
triangle property. 

Hence, the set of all timed words of length n can be decomposed into an 
infinite but countable family of languages of the form L = {(ai,ti )...{an,tn) I 
VO < I < j < n,tj — ti G lij, to = O}. We will call each such set as a region 
timed language. The n-dimensional subset of reals {(ti, . . . ,tn) | VO < i < j < 
n,tj — ti G lij, to = 0} will be called the underlying region of L and denoted 
U{L). Our aim is then to code all countable families like L as a set of words over 
an extended set of symbols. 

The set of symbols we use is A = if U {l,(5+,5“} with l,(5+,(5“ ^ S. (5+ 
will be called the positive delay symbol while S~ will be called the negative delay 
symbol. For each w G A* and x G if U {1, (5“} we denote |rc|a, the number of 

occurrences of the symbol x in w. Words over A will be called (5-words while 
languages in A will be called as (5-languages. Our aim is to code timed languages 
with 5-languages. 

Consider first the “point region” timed language Lo = {t\a b \ ti = = 

II (ta &)i||. Obviously, the symbol 1 can be used with the meaning of clock tick, 
hence we may code this language as lab. Observe that time does not elapse 
between a and b. 

Consider now the region timed language L\ = {tia t 2 b | ti -I- ^2 = l,ti,t 2 > 
O} = IK ta t6)i||. We would like to reuse the encoding lab by adding some 
information that should say that clock ticks must be “adjusted” with positive 
or negative delays. This will be the role of the delay symbols: 5^=positive delay, 
that is, the clock tick is “skewed positively”, while 6~=negative delay, that is, 
the clock tick is “skewed negatively”. The following (5- word encodes Lp. wi = 
l(5“a (5+6: 

— Before the action a, the time elapses with at most one clock tick, 

— In between a and 6 there must be a positive delay and 

— The duration of the whole behavior is exactly one clock tick, hence the 
number of positive delays equals the number of negative delays in the whole 
word. 
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As another example, the language L2 = {^10^20^3 | ti G]0, 1[ , ti+t2+t3 = l} = 
II ((ta)]o.i[(ifl)]o.i[(i)]o,i[)i II can be coded by the (5-word u )2 = 5~ a 5^ a (5+ 

because we need two negative delay symbols before a to counterbalance the two 
positive delays. Observe that, in the (5-word wi above, the sub-language (ta)]o,i[ 
was coded by lS~a, while in the (5-word 102 it is coded by lS~S~a. 

As mentioned in the introduction, the delay symbols have a nonarchimedian 
semantics, that is, the semantics of any number of (5+ is always less than one 
clock tick. Any number of delay symbols modifies clock tick durations by some 
positive or negative amount, an amount which may never be larger than one 
time unit. 

Definition 1. Consider a 6-word io = aor]iair ]2 . . . r]kak, with Oi € S for all 
1 < i < k — 1, ao,ak G S U {e} and iji G {1, (5“}* for each 1 < i < k. Then, 

for each l<i<j<k-\-l, denote pij = \r]i . . . the number of (5+ ’s in 

the word rji . . . and similarly Uij = \r]i . . . ?7j_i|,5- and Vij = \r]i . . . r]j-i\i. 

The semantics of to is the set of timed words w = ootiOiO ■ • ■ tkak for which, 
for each I < i < j < k, 

- If Pij > Uij then ti + . . , + tj G ]vij,Vij + l[ 

— If Pij = Uij then ti tj = Vij 

- If Pij < Uij then ti + . . , + tj G ]vij-l,Vij[ 

We also say that w is the (nonarchimedian) discretization of its se- 

mantics ||w||. Nonarchimedianity amounts in fact to the property that for all 
n G N, ||((5+)”|| < 1 and ||1((5“)"’|| >0, where the inequality signs are the exten- 
sions of < and > on sets of reals. 

Remark 2. Note that not all (5-words have nonempty semantics: ||(5“|| = 0 be- 
cause we cannot have timed words with negative durations. However: 

Proposition 1. For each 5-word uj = aor]iair ]2 ■ ■ - rjkak as in the definition 1, 
we have ||o;|| 0 if and only if for alii G [1 .. .k], if \r/i\i = 0 then \rji\g-- < |i+ . 

Remark 3. Note that semantics of (5-words is not compositional w.r.t. concate- 
nation: ||(5+a|| = ||(5+(5+a||, but ||(5+a ■ 5“1|| yf ||(5+5+a || • ||(5“1||. Therefore, no 
choice of a “representative (5-word” for a class of timed language is “good” w.r.t. 
concatenation. 

Let us then consider sets of (5-words that represent a given timed language, 
that is, equivalence classes w.r.t. semantics. We will call a 5-language D as 
saturated iff, whenever oj G D and ||(j|| = ||(j'|| for some uj,uj' G A*, then uj' G D. 
If D is not saturated, we denote sat{D) the least saturated 5-language that 
contains D. Let us see first the structure of the saturated 5-language discretizing 
a region timed language L = {(ai,ti) . . . (an,tn) \ VO < i < j < n,tj — C G 
Iij,to = 0 }, in which a„ = e: 

Denote P the underlying region for L and take P' one of the point regions 
which is “closest” to P. {P' may be equal to P if P is a point region). The 
constraint corresponding to P' can be built by choosing, for each 0 < i < j < n, 
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as either {inf/y} or {sup/ij}, and by checking whether the family 
satisfies the triangle property. I'i_i j will give the number of clock ticks in between 
the {i — l)-th action symbol and the i-th action symbol, with the convention 
that the 0 action symbol is the empty word. We will consider its coding in 
unary, as = 11 ... 1. The addition of positive and negative delay symbols 

is then done as follows: for each 0 < z < j < n, we define Jy as the point 
{0}, when JL = 7^, or =]0,oo[ when /L = inf yf 7^, or J^- = — oo,0[ 

when 7L = sup7y yf lij. In [Dim02] we have shown that the family (Jij)ij also 
satisfies the triangle property. Jy gives the constraint for the difference between 
the number of <5+’s and S~’s in between the z-th and the j-th action. Then, the 
saturated set of discretizations of L is the 5-language ^ 101^202 . ■ . in which 

is a “shuffle” of l“‘-ci with a word Q S {5“, 5+}* with |Ci|<5+ ~ IGU- G 

Proposition 2. Given two saturated 5-languages Wi,W 2 C A*, if ||Wi|| n 
IIW 2 II yf 0 then W\ n W 2 yf 0. Moreover, if z ^ S, then \V 1 zW 2 is saturated 
and ||Wiz|| • IIW 2 II = II Wi • z - W 2 II. 

Proof. The first part follows easily from the definition of saturated sets. We prove 
the second part for Wi and W 2 being equivalence classes w.r.t. the semantic 
equivalence. 

Take wi G Wi and W 2 G W 2 . For the left-to-right inclusion, consider cr e 
ll'u^izll IIW2II and denote L the region timed language to which cr belongs. By 
the discussion above on the construction of saturated sets, we may construct 
a 5-word w with ||r(;|| = L. It is then easy to decompose w as w = w{zw 2 , and 
cr as cr = crizcr2, and to observe that ( 7 ^ G ||wi|| D ||zc-|| = HwiH = ||zc'|| = L. 
The right-to-left inclusion is straightforward, as is the property of W 1 ZW 2 being 
saturated. □ 

Remark 4- In general, concatenation of saturated 5-languages does not give 
a saturated 5-language. E.g., consider L = || (t)]o.i[|| . The saturated discretiza- 
tion oi L-L contains u> = 15+5“ 1. But clearly this 5-word cannot be decomposed 
as w = • W 2 such that ||a;i|| = ||o; 2 || = L. Therefore, if D is the saturated 5- 

language discretizing L, then D ■ D does not contain 15+5“ 1 which is in the 
saturated 5-language discretizing L-L. 

On the other hand, the intersection of two non-saturated 5-languages might 
be empty, even when the intersection of their semantics is nonempty. But our aim 
is to construct discretizations of timed languages by union, concatenation, star 
and intersection applied to some basic 5-languages. Without solving this non- 
compositionality of intersection w.r.t. non-saturation, we might get an empty 
5-language as a discretization of a nonempty timed language. 

The solution is to work with images of saturated 5-languages under deletion 
morphisms. A 5-language D C A* is weakly saturated iff there exists a set of 
symbols L with LnS = 0 and a saturated 5-language D' C (TUifU{15+, 5“})* 
such that D = [T 1 -^ e]D' . Here, [L 1 — > e] is the morphism which deletes any 
occurrence of a symbol from L. The following proposition ensures the correctness 
of this approach: 



174 



Catalin Dima 



Proposition 3 . Given two weakly saturated 5-languages Wi,W2, we have that 

1. If ||Wi|j n IIW2II 0 then Wi n W2 7^ 0 and Wi n W2 is weakly saturated. 

2. \\Wi ■ W2W = \\Wi\\ ■ \\W2W and Wi ■ W2 is weakly saturated. 

Proof. This proposition is a corollary of the following lemma: 

Lemma 1 . Symbol deletion in 5-words commutes with semantics: for each lo € 
A* and a € E, ||[a 1-^ e]cj|| = [a 1— >■ e]||w||- Moreover, ||[a 1-^ e]o;|| is a region 
timed language. 

Proof. We will prove the result for ||o;||a = 1 , the general case following from the 
straightforward fact that renaming commutes with semantics. 

For the left-to-right inclusion, suppose that ak = a for some 1 < k < n. What 
is then required to prove is that the following (n — l)-dimensional region: 

R — I (ti , . . . , tk—i , tk^i^i , • ■ • , I VO Ell ^ j — with i, j 7^ k, tj G lij , to — 0 } 

is such that R' C {{ti, . . . ,tk-i,tk+i, . . . ,tn) \ 3 tfceK>o s.t. 

(ti, . . . ,tk-i,tk,tk+i, . . . ,t„) G t^(||w||)}, where Z^(||w||) is the underlying region 
for the region language ||w||. But this is a well-known property for conjunctions 
of difference constraints satisfying the triangle property, see [DimOl] for a proof. 
The right-to-left proof is straightforward, as well as the second conclusion. □ 

It remains to identify a class of saturated languages over A* that contains 
exactly the languages whose semantics equals the timed language of some timed 
automaton. This is the subject of the next section. But before that, we will show 
here that, in general, discretizations of languages of timed automata are context- 
sensitive languages over A. To see that, consider the following discretization of 
the (semantics of the) expression (taita2)]2,3[t A tai(ta2t)]i 2[: 

D = {r]iaiV2a2m I \viV2\s+ > \mm\s- ,\V2m\s+ < \mV3\5- ,\Vi\i = \V2\i = \V3\i = l.} 

It is easy to see that this language is context-sensitive: its intersection with 
the regular language ((5+)*((5“)*loi(^''‘)*(5“)*la2((5+)*((5“)*la3 is 

L4 = {(5+)™(r)"lai(5+)P(^-)na2(^+)’’(<5-)na3 I m-n > p-q,p-q < r-s}. 

4 Oscillator Automata 

An appropriate class of automata for accepting saturated sets of ( 5 -words must 
have the ability to compare numbers of ( 5 ^’s and 5~’s in infixes of ( 5 - words, but, 
for decidability reasons, it must be unable to count them. The formalization of 
these leads to the notion of oscillator automata, that we present here. 

Before that, let us give some notations used in this section. We will use the 
symbol V as the symbol of the total binary relation on the integers, that is, x\/y 
for all x,y gZ. We denote TZ= {<,=,>,} and TZ\/ = 7 ?.U{V}. i?” denotes the n- 
tuple RI} = (V, . . . , V). For c € Z" and X C [ 1 ... n], we denote by c[X := 0 ] the 
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tuple whose components are c[X := 0]^ = Ci for i ^ X and c[X := 0]^ = 0 for 
i e X. The unit tuple is denoted 1 = (1, . . . , 1), and the zero tuple is denoted 
0. We will also use addition and subtraction on tuples. Hence, (c + l)i = + 1 

and (c — l)i = Ci — 1 for all z e [1 . . . n]. 

Definition 2. An oscillator automaton of degree n (or n-oscillator 
automaton) is a tuple A = (Q, 0, QoiQ/) where Q is a finite set of 

states, QoyQf 'A Q the sets of initial, resp. final states, while 6 C Q x 
A X 'RJ) X V{\X ■ . .n\) X Q is the transition relation. Additionally, it is required 
that {q, R, 0, q') G 0 if and only if {q, 5 ~ , R, 0, q') G 9, and in this case q = q' 
and R = i?" . 

A configuration of an oscillator automaton is a tuple (q,ci, , c„) Q Q x 7A 
consisting of a state of the automaton and an n-tuple of counters. We denote 
the set of configurations of A as C(A). The set of initial configurations is Qq x 
{(0,0,..., 0)}, while the set of final configurations is Q fxX'^ . Configurations are 
connected by transitions as follows: for any x G A for which {q, x, R, X, q') G 9, 
if we denote X = {iG[l . . .n] \ V}, then (g, ci, . . . , c„) (g', c'^, . . . , c(j) if 

Vz € [1 . . . n], CiRiO and 

— If X ^ {(5“, 5+} then c' = c[X := 0]. 

— If X = then c' = c + 1, and if x = 5“ then c' = c — 1. 

Hence, in a tuple (g, x, R, X, q') G 9, the R component gives the precondition 
that the counters must meet in order to take the transition. Moreover, only <5+- 
transitions increment counters, while only (^“-transitions decrement counters. 

A run in A is a sequence p = ((g*_i, . . . , d~^) (gi, c \, . . . , c(j)) 

of transitions between configurations. We say that the (5-word Xi . . . x„ is associ- 
ated to the run p. A run is accepting if it starts with an initial configuration and 
ends in a final configuration. The 5-language accepted by A is the set of 5-words 
uj = x\ . . .Xk associated to an accepting run, and is denoted D{A). The timed 
language accepted by A, denoted L(A), is ||I?(A)|| 

As an example, the 2-oscillator au- 
tomaton shown on the right accepts 
the discretization of the timed lan- 
guage ||(tat)]o,i[)||. The dotted ar- 
rows represent the 5+-transitions, 
while the dashed arrows represent 
the 5“-transitions. 

Note that the counter y is necessary for ensuring that, e.g., the 5-word 5“al 
(which has an empty semantics) is not accepted. 

Theorem 2. The emptiness problem is decidable for oscillator automata. 

Proof. The proof idea is that, for checking emptiness, we only need to keep the 
sign of each counter, together with the sign of the difference between each pair of 



(5+,x + -|- 

y + + i, i 
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counters. Essentially, this information is similar to the ordering of the fractional 
parts in the region construction [AD94] , and will be called here as pattern. 

An n-pattern is a surjective function ip : [0 . . . n] — > [1 . . . fc], where k < n + 1. 
An n-pattern abstracts a tuple of n integer values c = (ci, . . . , c„) to the order 
between the components of the tuple and the sign of these components. The 
zero n-pattern is the unique function (/jq : [0 . . . n] — > {!}. A tuple R G TUf is said 
compatible with a n-pattern p iff, for all * G [1 . . .n], p{i)Rip(0). For example, 
the tuple c= (—2,1,— 2,0) is compatible with the 4-pattern {0,4 i— > 2;1,3 i— *■ 
1;2 2}. 

The transitions between configurations of A have three effects on the tuples 
of integers: they may increment or decrement tuples, or reset certain components 
of these to zero. We need to define appropriate operations on n-patterns that 
abstract these three operations. To this end, we associate to each n-pattern p 
the following three mappings: v\{p) : [0 . . . n] — > [1 ... fc — 1], V 2 {p) '■ [0 . . . n] ^ 
[1 . . . fc] and V 3 {p) : [0 . . . n] — > [1 . . . fc -|- 1], defined as follows: 

1. For each i G [1 . . . n] with p{i) < :/3(0), vi{p)(i) = V 2 {p)(i) = V 3 (p)(i) = p(i). 

2. 'yi((/?)(0) = U2(:/5)(0) = (/?(0) - 1 and U3(v3)(0) = (/?(0). 

3. For each i G [1 . . . n] with p(i) > p(0), vi{p){i) = p{i) — 1, V 2 {p){i) = p{i) 

and V 3 {p){i) = p{i) 1. 

The increment of p is the set of n-patterns 

++ = / I > 2} iff card{p-'^{p{{f))) = 1 
^ \{f 3 (v?)} u {V 2 {p) I v?(0) > 2} iff card{p~^{p{0))) > 2 

We may very similarly define the decrement of an n-pattern p, denote it p . 
The formal definition is left to the reader, due to space limitations. Finally, given 
X C [1 . . . n], the X-reset of a n-pattern p is the n-pattern p\X := 0] defined as 
follows: 

1. p[X := 0] = card{^p{i) \ p{i) < p{f)),i ^ W}. 

2. For each i G X, p[X := 0](i) = p[X := 0](0). 

3. For each i G X, p{X := 0](f) = card\^p{j) \ p{j) < p{i),j ^ AT}. 

We then construct the finite automaton A = {Q, 9, Qq, Q j) where Q = Q x 
Pat„, Qo = QqX {po\ , Qj: = Qf X Pat„ and 

^ I V?' G U {{q,p) ^ {q,p) I p G p~~)u 

I a: G 17 U {1} and 3{q, x, R, X, q') G 9 s.t. p is compatible 
with R, X = {i G [1 . . . n] | ^ V} and p' = p[X := 0]} 

An upper bound for the number of states in ^ is n! • 2" • card{Q). □ 
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5 Prom Timed Automata 

to Oscillator Automata and Back 

In this section we show that oscillator automata represent exactly all discretiza- 
tions of languages of timed automata. The proof of the right-to-left inclusion is 
based upon the Kleene theorem 1, while the proof in the other direction actually 
constructs a region automaton, viewed as a timed automaton. 

Theorem 3. For each timed regular expression E there exists an oscillator au- 
tomaton whose accepted timed language is ||i?||. 

Proof. We recursively construct weakly saturated oscillator automata for the 
subexpressions of E and show that union, intersection, concatenation, star and 
renaming preserves the property of being weakly saturated. 

For the expression tz, the oscillator automaton has two states qi and Q 2 , 
with qi initial and q 2 final, and loops in qi with clock ticks and delay sym- 
bols. On z, it moves to q 2 , which has no outgoing transitions. Observe that this 
automaton is saturated. 

For expressions (if)/, observe first that ||(if)/|| = ||ifA(t-|-^^g^ a)^||. Hence 
we only need to construct oscillator automata for expressions like “)/■ 

We consider the case I =]k,k-\-l[ [k G N), the case i = {fc} being similar, and 
the general case following from these by decomposing I into point or open unit 
length intervals. 

Hence, we construct a saturated 1-oscillator automaton with 2k 4 states 
Q = {go, • ■ • , qk-i-i,ri , . . . , rfe+ 2 }, with go initial and g^+i, rfc +2 final. It loops in 
any state with any symbol x ^ 1, and moves from g/_i to qi on symbol 1, where 
i G [2 ... fc]. It also moves from go to ri and from ri-i to on symbol 1, with 
i G [2...fc -|- 1]. An e-transition moves the automaton from g^ to g^+i, and 
this transition is guarded by the relation >, and another e-transition moves the 
automaton from r^+i to r^+ 2 , and this transition is guarded by the relation <. 
The resulting oscillator automaton is saturated. 

Suppose now we have two oscillator automata Ai and A 2 with weakly satu- 
rated languages. We may suppose, without loss of generality, that Ai (i = 1,2) 
is obtained from a saturated oscillator automaton Ai by replacing, on all tran- 
sitions, all labels not in E with e. That is, Ai and Ai have the same state space 
and 



— For all a € if U {1, <5“}, (g, a, R, X, q') G iff (g, a, R, X, q') G 

— For all X ^ E, if (g, x, R, X, q') G then (g, s, R, X, q') G <5^. , 

— If (g, £, R, q') G and g is not initial and q' not final, then there exists 
X ^ E such that (g, x, R, X, q') G . 

We will also suppose that, in both A\ and A 2 , the only transitions leaving 

initial states are either 5“''-loops, or ^“-loops, or ^-transitions with constraint 

R". Similarly, we suppose that, in both Ai and A 2 , the only transitions entering 
final states are either 5+-loops, or ^“-loops, or £-transitions with constraint i?" . 
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We may then build easily a saturated oscillator automaton B for D{A\) ■ z ■ 
D{A2), by simply connecting each final state q of A\ to each initial state q' of A2 
via a z-transition with constraint i?" , where z is a fresh symbol, not used in any 
of the automata. By proposition 2, D{B) is saturated. Then, by proposition 3, 
if we replace in B all labels not in S with e, the resulting automaton accepts 
D{Ai) ■ D{A2)- It is also clear that this automaton is weakly saturated, as it’s 
5-language is [Si U 172 U {z} 1 -^ e]D{B). 

A similar construction works for D(Ai)~^: we draw ^-transitions from each 
final state of Ai to each of its initial state, with constraint i?”. Coping with 
D(Ai)* is then trivial: we only need to append a small saturated automaton 
discretizing exactly the timed language containing only the empty timed word. 

A straightforward union construction for Ai and A2 assures also that Z)(Ai)U 
D{A2) is accepted by a weakly non-saturated oscillator automaton. Also, for 
some a G E and b G EU {e}, the 5-language [a 1 — *■ b]D{Ai) is accepted by the 
oscillator automaton which results from Ai by replacing a labels with b labels 
on all a-transitions. 

The remaining case is intersection. For this operation, we need to modify 
Ai by appending, in each non-initial non-final state, loops with all symbols in 
E2, with constraint i?". Denote Ai the resulting automaton. Similarly, we put 
loops in each state of A2 with all symbols in E\ and modify initial and final 
states accordingly, and denote A2 the resulting automaton. Hence, D{Ai) = 
[El U E2]D{Ai), i = 1, 2. Also note that both Ai and A2 are saturated. Then the 
classical intersection construction will provide a saturated oscillator automaton 
A for D{Ai) n D{A2), from which, by deleting all symbols in Ei U E2, we get 
a weakly saturated oscillator automaton for D{Ai) H £>(^ 2 ). The automaton A 
is A = (Qi X Q 2 , 5, Qq X Ql, Qj x Qj) where 

^ = {{qi,q2,x,R,X,q[,q2) [3X = Xi UX2,R= Ri X R2 s.t. 

i^qi-i Xj Rij Qj) G Si A — 

Theorem 4 . For each oscillator automaton A, L{A) is accepted by a timed 
automaton. 

Proof. Suppose that A has n counters. For each counter Ci of A we will use 
a clock yi in the timed automaton. Moreover, we will employ a new clock yoi 
which will be used for marking clock ticks. Hence, almost each 1-transition in A 
will give a transition in which we check yn = 1 and reset y^. The only transitions 
which will not be transformed into such clock tick transitions will be the first 1- 
transitions. On each accepted run, the first 1-transition is either ignored, or 
transformed into a (j/o = l?;2/o := 0) transition. 

Note that, on any accepting run in B we have the property that the interval 
separating any pair of actions a, 6, is ]n — 1, n-|-l[, where n is the number of clock 
ticks on the same run, but in A. If we have a run in which a counter Ci is reset 
on a and tested only to be positive on b, then the time elapse between a and b 
would be in the interval ]n, n -|- 1[, but not in ]n — 1, n]. We therefore have to use 
the test on Ci on the 6-transition for generating a constraint on the corresponding 
clock yi which eliminates the part ]n — 1, n] from the interval separating a and 6. 
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To this end, for each pair of states q,q' € Q we put in a set N{q,q') all the 
numbers of Is occurring on a sequence of ^-transitions between q and q' . Note 
that we do not need to check whether that sequence of transitions is feasible. The 
computation of N{q, q') is a matter of regular sets. We then separate N{q, q') into 
two sets: N'^{q,q'), containing even numbers, and N^{q,q'), with odd numbers. 
Then, for each 1 < i < n and on each transition t\ = (q, x, R, X, r) on which 
counter Ci is reset, we start counting modulo 2 the Is into a register hi. 

Take a subsequent transition T 2 = {q' ,x' ,R\X' ,r') on which Ri is <. This 
transition is transformed in B into a transition with constraint s]iV^’(y, r') — 
When Ri is = we put the constraint t/i = N^'{q,r'), and similarly 
for Ri being >. To see how this solves our problem, denote rii the number 
of Is encountered since Ci was reset. Obviously n G N^^{q,r'). Therefore, if no 
transition leaving q' has Ri = ‘ > ‘ then the constraints we have designed assure 
that the interval between passing through ti and T 2 has an empty intersection 
with ]n — 1, n[. 

Formally, denote A = {Q, S,6,Qo,Q f) the oscillator automaton, whose set 
of counters is 3^ = {yi, . . . , y„}. The timed automaton B has tuples (y, q,p, h) G 
Q X Q" X {— , -I-} X {0, 1}" as states, where p tells whether the first 1-transition 
has been encountered or not, remembers the last state where the counter Ci 
was reset, while hi are the registers modulo 2 whose use was shown above. B has 
the following transitions: 

1. For each (y, x, R, X, q') G 5 with x G S fie we put (y, y, p, h) ^ — > (y', y', p, h') 
where Y C y and C is a conjunction of constraints as follows: for each 
l<i<n, 

(a) Pi G Y iS a G X and then h'i = 0 and ^ = y; otherwise h'i = hi and 

(b) C contains yo G]0, 1[ as a conjunct; 

(c) If Ri is < then C contains pi (y^, y') — 1, iV^’(yj, y')[. 

(d) If Ri is = then C contains pi = N^'ijli, l')- 

(e) If Ri is > then C contains pi (y^, y'), (y^, y') -|- I[. 

€ C Y 

2. For each (y, 1,R,X, q') G 5 we have a transition {q,q,p, h) — — > (y', y',p', h') 
where Y C y and C is a conjunction of constraints, both satisfying the re- 
quirements la, Ic, Id and le from the previous point, as well as the following: 

(f) If p is -I- then p' = p and C contains cq = 1 A cq G T; otherwise p' is -I-. 

(g) If Ci ^ X then h'i = {hi + 1) mod 2. 

The and 5~ transitions of A do not generate transitions in B. The initial 
states of B are tuples {q,q,p, h) with q G Qo, qi = qo, hi = 0 and p being — . The 
final states of B are tuples {q,q,p, h) with q G Qf. □ 

6 Conclusions 

We have presented a new discretization technique for timed automata, which cor- 
rects the non-compositionality of the region construction w.r.t. intersection. The 
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discretization we have proposed makes use of two delay symbols with “nonarchi- 
median” semantics. Our discretizations are words over an alphabet containing 
the action symbols, clock tick symbols and the delay symbols. We have also in- 
vestigated a class of automata that accepts discretizations of languages of timed 
automata. 

The significance for model-checking is yet unclear. As noted at the end of sec- 
tion 4, the size of the finite automaton built for checking whether an n-oscillator 
automaton has an empty language is at most n! • 2" • card{Q). Comparing with 
the region construction, we observe that the largest constants used within clock 
constraints are hidden within card{Q). On the other hand, the common basis 
for comparison should be the emptiness checking for timed regular expressions. 
But timed regular expressions are a very inefficient specification language, since, 
by [ACM02] in order to specify the language of a timed automaton, its untimed 
behavior is specified n times, once for each clock. More research is also needed 
in order to check whether compositional model checking or test generation may 
benefit from our approach. 

Oscillator automata can be used on their own as a model for timed systems. 
We draw the attention also to the special form of timed automata which are 
built from oscillator automata. It is easy to check, for those automata, whether 
the accepted language is /c-bounded, and hence whether the automaton is deter- 
minizable and complement able. 

We believe that our approach may help in importing more results from clas- 
sical language theory. The first subject that may take advantage of our approach 
is the adaptation of results concerning monoid recognizability. Our discretization 
might also give an alternative framework for laying the basis of a timed trace 
theory [DT99]. 
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Abstract. Timed automata are known not to be complementable or de- 
terminizable. Natural questions are, then, could we check whether a given 
TA enjoys these properties? These problems are not algorithmically solv- 
able, if we require not just a yes/no answer, but also a witness. Minimiz- 
ing the “resources” of a TA (number of clocks or size of constants) are 
also unsolvable problems. Proofs are provided as simple reductions from 
the universality problem. These proofs are not applicable to the corre- 
sponding decision problems, the decidability of which remains open. 



1 Introduction 

Timed automata [2] (TA) have been established as a convenient model for de- 
scribing timed systems. This is despite the fact that the model does not en- 
joy a number of important properties which hold, for instance, in its untimed 
counter-part, finite-state automata. In particular, timed automata are not com- 
plementable in general, meaning that, given a TA A, there does not always exist 
a TA accepting the complement of the language accepted by A. This holds even 
if we interpret timed automata as accepting finite-length words, which is the 
framework we follow in this paper. Timed automata are also not determiniz- 
able in general, meaning that, given a (non-deterministic) TA A, there does not 
always exist a deterministic TA accepting the same language. 

Complementation is important for capturing the negation of logical specifi- 
cation by automata, in so-called automata-theoretic verification. Determiniza- 
tion is crucial for implementability and essential in problems of observation, 
fault diagnosis and test generation (e.g., [13]). Often, works in such domains 
(e.g., [11, 10]) are restricted to determinizable sub-classes of TA, for instance, 
so-called event-clock automata [3]. 

Given these facts, it is natural to ask: “can it be checked whether a given TA A 
is complementable/determinizable ?”. Unfortunately, as we show in this paper, 
this cannot be done algorithmically, assuming we require not just a “yes/no” 
answer but also a witness, that is, a TA complementing/determinizing A. Inter- 
estingly, we do not know if the decision problems (admitting a “yes/no” answer) 
are decidable. The proofs we provide rely on the construction of a witness and 
are based on a reduction of the universality problem, known to be undecidable. 
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Another set of questions concerns TA minimization, in the sense of reduction 
of “resources” of timed automata.^ While the resources of untimed automata 
can be seen to be states and transitions, in timed automata, the clocks and 
the constants used in the guards are also important resources. In fact, these 
are in some sense more “expensive” resources than states and transitions, since 
most decidable problems concerning timed automata have worst-case complex- 
ity polynomial in the states and transitions and exponential in the clocks and 
constants [2, 7]. 

Given these facts, it is natural to ask: “can it be checked whether the number 
of clocks or the size of the constants of a given TA can be reduced ?”. Unfor- 
tunately, this cannot be done algorithmically (assuming, as previously, that we 
require not just a “yes/no” answer but also a witness). 

These results are probably folk theorems in the timed automata community. 
However, to the best of our knowledge, they have not yet been published. An 
exception is a similar result appearing in [15]. There, it is shown that computing 
the clock-degree of a given timed language (represented as a timed automaton) 
cannot be done algorithmically. The clock-degree is the minimum number of 
clocks necessary to recognize the language. 

Reduction of clocks by removing inactive clocks has been considered in [8]. 
The idea is that the value of some clocks is irrelevant in certain discrete states, 
because the clock is not tested and will be reset upon leaving that state. How- 
ever, the static analysis technique used in [8] to remove inactive clocks is not 
powerful enough to answer the question we are asking. Indeed, active clocks 
may still be redundant with respect to language equivalence. Also, minimizahle 
timed automata (MTA) are introduced in [12]. In an MTA, clocks have bounded 
time domains. The MTA is also equipped with a set of relevance formulas per- 
mitting to identify equivalent states modulo inactive clocks. The authors show 
how a minimal MTA can be algorithmically obtained from a given MTA, where 
minimality is with respect to states and bisimulation equivalence. 



Preliminaries: We assume the reader is familiar with timed automata. We 
consider a basic TA model, namely, automata with a finite set of discrete states 
and transitions, where each transition is labeled with a letter in a finite alphabet 
S, has a so-called diagonal- free clock guard [5] (i.e., no constraints of the form 
X — y < c) and a set of clocks to reset to zero. We use the following notation. 
TZ is the set of positive reals. U = {E x TV)* is the set of all finite-length timed 
words over E. Given L <Z U, L is the complement of L, that is, L = U — L. 
Given a timed automaton A over E, L{A) C U is the set of all finite-length 
timed words accepted by A. The universality problem is to check, given a TA A, 
whether L{A) = U. The problem is known to be undecidable [2]. The untimed 
language of A, denoted Lu{A), is equal to the set of all finite- length words in E* 



^ We use the term minimization in the sense of rednction of “resources”, and not 
in the sense of compnting the quotient with respect to a bisimulation relation, as 
in [1, 16, 14]. 
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accepted by A if we interpret A as a finite-state automaton, that is, ignoring its 
clock constraints. 

2 Complementability 

Problem 1. Given a TA A, does there exist a TA B such that L{B) = L{A) 1 If 
so, construct such a B. 

Theorem 1. Problem 1 is not Turing computable.'^ 

Proof. We can reduce the universality problem to Problem 1, as follows. Given A, 
solve Problem 1. If B exists, L{A) = 14 iS L{B) = 0. If B does not exist, then 
L{A) yf U, because the empty language can be accepted by a timed automaton 
with no accepting states. 

Note that the proof relies on the fact that we have a witness and can check 
emptiness on it. We do not know whether the decision problem corresponding 
to Problem 1 (which only asks whether B exists) is decidable. Also notice that 
knowing the existence of a witness does not help in finding one. Enumerating all 
possible witnesses does not help, since checking for a given B whether L{B) = 
L{A) is undecidable. 

3 Determinizability 

Problem 2. Given a TA A, does there exist a deterministic TA B such that 
L{B) = L{A) ? If so, construct such a B. 

Theorem 2. Problem 2 is not Turing computable. 

Proof. We can reduce the universality problem to Problem 2, as follows. Given A, 
solve Problem 2. If B exists, compute C such that L{C) = L{B): since B is 
deterministic, this can be done simply by turning accepting states into non- 
accepting states and vice-versa. Then, L{A) = U iff L{C) = 0. If i? does not 
exist, then L{A) yf U, because the language U can be accepted by a deterministic 
timed automaton with a single accepting state, no clocks, and a self-loop for each 
letter in E. 

4 Minimization 

4.1 Reducing the Number of Clocks 

Problem 3. Given a TA A with n clocks, does there exist a TA B with n — 1 
clocks, such that L{B) = L{A) ? If so, construct such a B. 

^ With a slight language abuse, when we say a problem is computable we mean that 
the implicitly defined function solving the problem is computable. For instance, in 
the case of Problem 1, this function takes a TA A and returns, either a TA B such 
that L{B) = L{A), or T, when such a B does not exist. 
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We should note that the technique of clock reduction by removing inactive 
clocks, proposed in [8], does not solve Problem 3. Indeed, consider the timed 
automaton that performs a and resets x := 0, then has two transitions with b, 
one with guard x > 1 and another with guard x < 1. In this automaton, clock x 
is redundant: the two transitions labeled with b can be replaced by a single 
transition without any guard. However, the method of [8] finds that clock x is 
active, because it is tested after it is reset. 

Solving Problem 3 can be used in minimizing the number of clocks of A: just 
keep trying to remove clocks one by one until no clocks are left or until no more 
clocks can be removed. In particular, the problem, given H, to find, if it exists, 
an automaton B without any clocks, such that L{B) = L{A), can be reduced to 
Problem 3. This observation is used in the proof below. 

Theorem 3. Problem 3 is not Turing computable. 

Proof. We can reduce the universality problem to the minimization problem, 
as follows. Given A, check whether there exists B with no clocks such that 
L{B) = L{A) and if so construct such a, B.li B exists, check whether the untimed 
language of B, Lu{B), is equal to E*. If Lu{B) = E*, then L{A) = L{B) = U. 
Indeed, B interpreted as a regular automaton accepts all finite words over E, 
and since it has no clocks, it cannot put any time constraints on them. Thus, 
when interpreted as a timed automaton, B accepts all finite timed words over 
E. If Lu{B) yf E*, then there is some w G E* — Lu{B). Again, since B has 
no timing constraints, w ^ L{B), thus, L{A) ^ U. li B does not exist then 
L{A) yf U, since U can be accepted by an automaton with no clocks. 

4.2 Reducing the Size of Constants 

Problem 4. Given a TA A where constants are not greater than c, does there 
exist a TA B where constants are not greater than c— 1, such that L{B) = L{A) ? 
If so, construct such a B. 

Solving Problem 4 is enough for minimizing the size of constants of A: just 
keep trying to reduce the size of constants by one until it becomes zero or until it 
can be reduced no more. In particular, the problem, given A, to find, if it exists, 
an automaton B with constants at most zero, such that L(B) = T(A), can be 
reduced to Problem 3. 

Lemma 1. Let A be a TA over E with constants at most 0. There exists a finite- 
state automaton A^ over T = 17 U {r}, where t ^ E , such that L{A) = U iff 

L{Au) = r*. 

Proof. There are two types of guards in A: x > 0 or x = 0, where x is a clock. 
For each clock x of A, A^ will have one variable b^ € {0,1}. A^ will have the 
same set of discrete states as A. For every discrete transition of A, A„ will have 
a transition labeled with the same letter. For every reset x := 0 of the transition 
of A, we add a reset bx ■= 0 to the transition of A„. For every guard x = 0 
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(resp. a; > 0) of the transition of A, we add a guard = 0 (resp. = 1) to 
the transition of Au- At every discrete state of A„ we add a self-loop transition 
labeled by r, which sets each variable bx to 1. Notice that the language of Au 
is closed under “stuttering” of r, for instance, if raorai • ■ ■ ran G A(A„) then 
r+ooT+ai • • • T+a„ C L{Au) and vice-versa. This is because taking a r transition 
two or more times in a row leaves the state of A„ unchanged. 

Define the following equivalence between states of A and states of Au- Given 
a state (g, v) of A (g is a discrete state and is a vector of values for each clock x) 
and a state (g', u) of Au (g' is a discrete state and m is a vector of values for each 
variable b^), the two states are equivalent, denoted (g, v) ~ (q',u), if g = g' and 
for all i, v{i) = 0 u{i) = 0. We claim that if si ~ S 2 then: 

1. for each a G S and state of A such that si s^, there exists state s '2 
of Au such that S 2 s '2 and s'^^ ~ 

2. for each a G S and state s '2 of Au such that S 2 s' 2 , there exists state 
of A such that si and ~ 

3. for each t G TZ and state of A such that si s'^, there exists state s '2 
of Au such that S 2 s '2 and ~ 

4. for each state s '2 of A„ such that S 2 ^ s' 2 , for each t gTZ, there exists state 
of A such that si ^ and ~ s' 2 . 

The above four properties allow us to prove that L{A) =L{ iS L{Au) = F*. 
Theorem 4. Problem 4 is not Turing computable. 

Proof. By Lemma 1, checking universality of a TA with constants at most zero is 
decidable. Since checking universality of a general TA is undecidable. Problem 4 
is not computable. 



5 Similar Problems with “Bounded Resources” 

One might think that the above negative results could be remedied if one bounds 
the resources of the witness automaton. A similar approach is taken in [9, 4], 
where it actually results in a decidable version of an otherwise undecidable prob- 
lem. Unfortunately, this is not the case for the problems defined in this paper. 

More precisely, given non-negative integers n and c, let TA(n,c) be the class 
of timed automata having at most n clocks and where constants are at most c. 
Then, the bounded-resource versions of Problems 1, 2, 3, and 4 can be stated as 
follows. 

Problem 5. Given a TA A and non-negative integers n, c, does there exist a TA 
B G TA{n, c) such that L{B) = L{A) ? If so, construct such a B. 

Problem 6. Given a TA A and non-negative integers n, c, does there exist a 
deterministic TA B G TA(n,c) such that T(B) = L(A) ? If so, construct such 
a B. 
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Problem 7. Given a TA A with n clocks and non-negative integer c, does there 
exist a TA B € TA{n — 1, c), such that L{B) = L{A) ? If so, construct such a B. 

Problem 8. Given a TA A with constants not greater than c and non-negative 
integer n, does there exist a TA B € TA(n, c — 1), such that L{B) = L{A) ? If 
so, construct such a B. 

It turns out that all four problems above are not computable. The proofs 
are almost identical to the ones for the unbounded-resource versions, with the 
addition that we set n and/or c to zero when reducing the universality problem 
to the problem in question. For example, in the case of Problem 5, if there exists 
no B in TA(0, 0) such that L{B) = L{A) then L{A) yf 7/, since there is a TA with 
no clocks accepting the empty language. If i? G TA(0, 0) exists then L{A) yf U 
iff L{B) = 0. 

6 Conclusions and Open Questions 

The folk theorems presented in this paper confirm some inherent imdecidability 
properties of the timed automata model. A number of open questions remain. 
We do not know whether the decision problems corresponding to the problem 
defined in this paper are decidable. 

Another interesting problem is minimization of the number of discrete states 
of a TA (while possibly increasing the number of clocks or size of constants). 
The interesting cases are when diagonal guards or resets to constants other 
than zero are not allowed. Otherwise, a discrete state can be encoded as the 
ordering x\ < X 2 < ■ ■ ■ < Xm of a sufficient number of extra clocks x\, Xm and 
moving to this state can be encoded with an appropriate reset, such as x\ := 
0,X2 := l,...,Xm '■= rn. Note that, although these features do not add to the 
expressiveness of the model, removing them can only be done at the expense of 
adding discrete states [5, 6]. 
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Abstract. Using the Cadence SMV symbolic model checker we syn- 
thesize, under certain error assumptions, a scheduler for the smart card 
personalization system, a case study that has been proposed by Cyber- 
netix Recherche in the context of the EU 1ST project AMETIST. The 
scheduler that we synthesize, and of which we prove optimality, has been 
previously patented. Due to the large number of states (which is beyond 
10^^), this synthesis problem appears to be out of the scope of existing 
tools for controller synthesis, which typically use some form of explicit 
state enumeration. Our result provides new evidence that model checkers 
can be useful to tackle industrial sized problems in the area of scheduling 
and control synthesis. 



1 Introduction 

1.1 Background 

Model checking involves analyzing a given model of a system and verifying that 
this model satisfies some desired properties. System models are typically de- 
scribed as finite transition systems, while properties are described in terms of 
temporal logic. Once the definition of the system, S, and its property, ip, are 
fixed, the model checking problem is easily described as S ^ (does S satisfy 
ipl). Thanks to the symbolic representation of transition systems, state-of-the- 
art model checking tools are now capable of solving such problems for models 
with more than 10^° states [4]. 

Control synthesis, on the contrary, does not assume the existence of a model 
of the full system. Instead, it considers the uncontrolled plant and tries to synthe- 
size a controller by finding a possible instance of a model that satisfies a desired 
property. Control synthesis for Discrete Event Systems (DES) has been exten- 
sively studied over the past two to three decades, and a well-established theory 
has been developed by Ramadge and Wonham [16]. The Ramadge and Wonham 
framework (RW) is based on the formal (regular) language generated by a finite 

* This work was supported by the European Community Project IST-2001-35304 
AMETIST, http : //ametist . cs .utwente.nl. 

K.G. Larsen and P. Niebert (Eds.): FORMATS 2003, LNCS 2791, pp. 189—203, 2004. 
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state machine. The RW plant model P (generator) is obtained by describing 
the plant processes in terms of a formal language which is generated by a finite 
automaton. A means of control is adjoined to this generator by identifying the 
events that can be enabled or disabled by the controlling agent. The specifica- 
tions Sp are described in terms of formal language generated by P. The controller 
is then constructed from a recognizer for the specified language given by Sp. 

In this paper, we consider a problem which in theory could very well be solved 
using the Ramadge and Wonham supervisory control theory. However, given the 
size of the state space involved, existing control synthesis tools are (to the best 
of our knowledge) unable to actually compute a solution. Therefore, instead, we 
tackled the problem using the symbolic model checker SMV [14].^ This approach 
allows us to benefit from the (BDD-based) symbolic representation technique of 
SMV and to (partially!) solve a problem which, because of its size (more than 
10^^ states), would be intractable otherwise. Our results demonstrate that model 
checkers can be useful to solve problems in the area of scheduling and control 
synthesis. 

1.2 Outline 

Using SMV we synthesize a scheduler for a smart card personalization system, 
which has previously been patented by Cybernetix Recherche. We also show that 
this scheduler, known as the “super single mode” [2] is optimal in the absence of 
errors. Finally, we synthesize a set of schedulers for defective card treatment that 
stabilize the system back to the super single mode. Together, these schedulers 
constitute a controller for the system under the assumption that a certain amount 
of time elapses between faults. 

The paper is structured as follows: Section 2 provides a formal definition of 
the uncontrolled plant of the smart card personalization system, and defines the 
correctness and optimality criteria. Section 3 explains the super single mode, 
and how it was generated using SMV. Section 4 deals with systems with faulty 
cards. We list the errors that may occur during the operations of the machine, 
show how to deal with such errors, and give an overview of the synthesized error 
treatment methods. We conclude the paper by pointing out some observations 
and directions for future work in Section 5. 

A full version of this paper appeared as [8] . An electronic copy of SMV code 
and also of the trace simulator that we developed to visualize schedules are 
available via the URL 

http : //www. cs . kun.nl/ita/publications/papers/biniam/ cyber. 

1.3 Related Work 

The Ramadge and Wonham framework has been implemented by several research 
groups and industries. One of the tools developed by Wonham and his research 



^ We use the version of SMV developed at Cadence Berkeley Laboratories, see 
http: //www-cad. eecs .berkeley . edu/'kermicmil/smv/. 



Control Synthesis for a Smart Card Personalization System 191 

team is CTCT (C based Toy Control Theory)^, a tool that was basically built 
for research purposes only, and uses an exhaustive list to represent the model. Its 
capacity, as the name indicates, has never extended beyond toy examples. A new 
approach. Vector Discrete Event Systems, was studied in [12, 22] to alleviate the 
shortcoming of CTCT by exploiting the structural properties of DES. Although 
this approach resulted in better performance, its structural analysis approach 
cannot be generalized [5]. 

Other notable developments on this area are: The UMDES-LIB library from 
University of Michigan [18], Bertil Brandin’s tool for DES control synthesis with 
heuristics [3], a tool for Condition/Event Systems [19], other tool by Martine 
Fabian and Knut Akesson [I]. 

All the above tools lack symbolic representation of state transitions, and 
suffer from state space explosion problems. A Binary Decision Diagram (BDD) 
like data structure called Integer Decision Diagram (IDD) has been used to 
represent sets of states symbolically. For example, Gunnarsson in [9] and Zhang 
and Wonham in [23] have used IDDs in their implementation. This approach is 
quite promising for dealing with large systems, but it is still in laboratory stage, 
and not available to the public. 

Our main motivation for using SMV is thus to overcome this deficiency and 
benefit from symbolic representation of SMV. The smart card personalization 
system is quite a large system and cannot be handled with a tool that does not 
use symbolic representation. Our paper shows how the scheduler synthesis can 
be solved using a model checker and presents new evidence that model checkers 
can be useful in solving problems in the area of scheduling and synthesis. Our 
work has been inspired by similar approaches that were employed in [7, 10, 15] 
to synthesize schedulers for industrial size problems. 

We were the first to model the smart card personalization system and to 
synthesize a scheduler for it. However, the same case study has also been ad- 
dressed by other members of the AMETIST consortium. T. Krilavicius and Y. 
Usenko [11] constructed models using UPPAAL and /iCRL, and used these to 
synthesize controllers. Whereas in our model production of cards is essentially an 
infinite process, Krilavicius and Usenko only consider scheduling of a finite num- 
ber of cards. As a consequence, they do not synthesize the super single mode. 
Inspired by [11], T. Ruys used SPIN to synthesize a controller for the smart 
card personalization machine [17]. Also this model only considers scheduling of 
a finite number of cards (the largest parameter values considered are 5 cards and 
4 stations). In order to handle the state space explosion, Ruys encodes branch 
& bound search strategies in SPIN. In addition, he has to instruct SPIN to use 
a number of heuristics, which in our view are both complex (the code for the 
heuristics is longer than the code of our entire model!) and debatable (Ruys 
assumes that cards cannot overtake each other; in the real machine this is pos- 
sible with the help of the personalization stations). A. Mader in [13] applied 
decomposition and mixed strategies to model and synthesize a controller for the 
extended smart card personalization machine that include printers and flippers. 

See http : //odin. control .tor onto . edu/people/profs /wonham. 
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G. Weiss employed Life Sequence Charts (LSC) to synthesize a scheduler with 
smart play-in/play-out approach [21]. None of the mentioned approaches deals 
with error handling. 

2 Smart Card Personalization System 

The “smart card personalization system” is a case study that has been proposed 
by Cybernetix Recherche in the context of the EU 1ST project AMETIST [2]. 
The case study concerns a machine for smart card personalization, which takes 
piles of blank smart cards as raw material, programs them with personalized 
data, prints them and tests them. 

The machine has a throughput of approximately 6000 cards per hour. It is 
required that the output of cards occurs in a predefined order. Unfortunately, 
some cards may turn out to be defective and have to be discarded, but without 
changing the output order of personalized cards. Decisions on how to reorganize 
the flow of cards must be taken within fractions of a second, as no production 
time is to be lost. 

The goal of the case study is to model the desired production requirements as 
well as the timing requirements of operations of the machine, and on this basis 
synthesize the coordination of the tracking of defective cards. More specifically, 
the goal is to synthesize optimal schedules for the personalization machine in 
which defective cards are dealt with, i.e., schedules in which 

1 . cards are produced in the right order (safety) . The order of cards is important 

as no other sorting mechanism should exist in the system, 

2. throughput is maximal (liveness). 

2.1 The Uncontrolled Plant Model 

Figure 1 shows a simplified smart card personalization machine. The machine 
consist of a conveyor belt and personalization stations mounted on top of it. 
The machine also has an input station and an output station, which are situated 
on the left and right side of the belt respectively. New cards enter the system 
through the input station and advance to the right one step at a time. At some 
point, a card is lifted up to one of the personalization stations, spends some time 
there (is personalized), and is then dropped back onto the belt. The card then 
moves towards the output station for testing and delivery. The actual machine 
is considerably more complicated than the machine in Figure 1, but our aim is 
to And a scheduler that effectively utilizes the personalization stations and opti- 
mizes throughput. The simplified model of the machine appears to be adequate 
for this purpose. 

The SMV model for the uncontrolled machine is a collection of processes 
running concurrently: forward (moving a belt one step to the right) and, for 
each personalization station j, lift_dropj (lifting/dropping a card from/to the 
belt to/from station j). We employ a discrete model of time, in which one time 
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Fig. 1. Simplified smart card personalization machine 
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Fig. 2. The model of the smart card personalization machine 



unit is equivalent to one forward move of the belt. All personalization stations 
are identical and need S time units to personalize a card. We assume lifting and 
dropping takes no time. 

We assume there are M stations (denoted by bj), and N = M+2 slots in the 
belt (denoted by a^) as shown in Figure 2. To make model checking possible, the 
number of different personalizations is assumed to be bounded by some value 
K, which is a multiple of M. Each slot or station will have a value as shown in 
Table 1. 

An empty slot/station is coded twice (as -3 and -2) in order to distinguish 
between the initial value (-3) and the slot/station being emptied along the way 
(-2). This allows us to control intermediate blank slots more efficiently, as will 
be explained below. We also use an integer variable Xj, (0 < j < M) as a clock 
to record how long a card has been held in station j. 
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Table 1. System parameters and encoding of values 



parameter 


represents 


M 


number of stations 


N 


total number of slots 


K 


different number of 




personalizations 


S 


time needed for 




personalization 



slot / station 
value 


meaning 


-3 


empty (initial value) 


-2 


emptied 


-1 


new card 


j, 0 < j < K 


personalized with j 


K 


defective card 



Formally, the process forward is defined as follows (for a complete specifica- 
tion of the system we refer the reader to [8]). 

module forward(a,b,x){ 

next (a [0] ) :={-!, -2}; 
for(j=l; j<=N-l; j=j+l) 

next(a[j] ) :=a[j-l] ; 
for(j=0; j=j+l){ 
if(x[j]<S & b[j]>=0) 
next(x[j] ) := x[j]+l; 

} 

> 

and the processes lift_dropj (0 < j < M) are defined as: 
module lift_drop(a,b,x, j){ 

if(b[j] <= -2 & a[j+l] = 
next(b[j] ) := 0. .K; 
next(a[j+l] ) :=b[j] ; 
next (x [j] ) : =0 ; 

> 

else if(b[j] >= 0 & x[j] 

& a[j+l] = -2 ){ 
next(a[j+l] ) :=b[j] ; 
next(b[j] ) := -2; 

> 



Correctness. The desired correctness property is: 

There exists a run that always produces personalized cards in the right 
order. 



-1){ /* idle station and new card*/ 
/* generate a'personalization */ 



/* reset the slot */ 

/* reset the clock */ 

= S /* card personalized */ 

/* a~blank slot beneath */ 
/* drop the card */ 

/* reset the station */ 



/* a~new card appears */ 
/*non-deterministicaly */ 
/* move the belt forward */ 

/* increment clocks of */ 
/* the busy stations */ 
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To formalize the concept of “right order” , an observer process is introduced that 
compares the output value with the expected value. Formally, the observer is 
defined as follows. We introduce a new state variable out, which initially is 0 
and assume K is a multiple of M, say 2 . M. The behavior of the observer is specified 
by: 

if (out = a[N-l]) next(out):= (out+1) mod K; 

else if (a [N-1] >-2) next(out):= K; 

If cards are not produced in the right order or if a card is output that has not 
been personalized, the observer sets the value of out to the “error” value K. The 
control objective then becomes to ensure that the observer will never detect an 
error. We can synthesize a scheduler that realizes this (if it exists) by asking 
SMV whether the following CTL formula holds: 

AF^(out < K). (1) 

If this formula does not hold then there exists an infinite run in which for all 
states out < K, i.e., the observer never detects an error. In this case SMV will 
provide a counter example, which essentially is an infinite schedule for the ma- 
chine that meets the control objective. 



Optimization. Obviously, there are many runs in which all states satisfy out 
< K, for instance, a run in which the machine produces no cards at all. The 
interesting runs are those with high throughput, or more specifically with less 
number of blank slots in the output. 

To minimize the blank slots in the output and in order to guide SMV towards 
optimal schedules, we introduce the “blank tolerance condition” of the machine, 
in the form of a new state variable tl, which is initially 0, and is incremented 
and decremented as follows: 

if (a[N-l] =-2) next (tl) : =tl-l ; 

else if ( a[N-l]>=0 k (a[N-l] mod S) = S-1) next (tl) : =tl+l ; 

We add 1 to tl each time S cards have been produced {aN-i modulo S = S-1). 
We decrement tl with 1 whenever a blank slot arrives {bln-i = ~2). However, 
we start decrementing only after the leading blank slots (a [N-1] = -3) have 
passed. In all other cases we leave the value of tl unchanged. 

Now we ask SMV whether the following CTL formula holds: 

AF^(out < K A tl > 0). (2) 

If this formula does not hold, there exists an infinite scheduler that maintains 
the invariant tl > 0. This means that each time when the system has produced 
S cards, the observer tolerates a single blank slot. 
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Table 2. The super single mode for 4 personalization stations 
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3 The Super Single Mode 

Using the approach outlined in the previous section, the example run in Table 2 
was generated. With a “normal-speed” PC we were able to generate example 
runs for M < 5 (in the real machine M could be 8,16 or 32). The runs exhibit 
the schedule of the super single mode as patented by Cybernetix. Table 2 shows 
the first 19 configurations of the the super single mode with M = 4,S = 4,K = 
12. Each row represents a single configuration at a given time. The upper part of 
the row shows the values of the stations, while the lower part shows the values of 
the slots in the conveyor belt. An empty cell means the slot or the station is idle, 
a box (□) represents a new card, and a number represents the personalization 
value of the card contained in the station or in the slot. Table 2 can be read as: 

— time 0: the machine is empty. 

— time 1: first new card arrives on the conveyor belt. 

— time 2: the first card is lifted to station 0. 

— time 4: the second card is lifted to station 1 and it continues likewise. 

— time 5: there is no card from the input. 

~ time 6: station 0 finishes personalizing a card with value 0. In super single 
mode, M (4 in this example) time units are required to personalize a card. 

~ time 7: station 0 proceeds with personalizing another card with a different 
value (namely 4). Note that value 3 is not taken yet. This pattern shows that 
the order of output is exactly the same as the order of the cards when they 
are fed into the machine, but the production order is different, and there is 
an overlap between rounds. This overlap is even more clearly visible when 
a machine with 8 (instead of 4) personalization stations is considered. 

If in our model a station is allowed to take more than M time units for 

personalizing a card, i.e., S > M, then CTL formula (2) holds. In other words: if 
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the conveyor belt is rolling faster than the personalization stations can handle 
then personalizing M consecutive cards becomes impossible. 

Similarly, for a personalization time of M time units, if we have M+1 consec- 
utive new cards followed by empty slots (even with lots of empty slots), then it 
becomes impossible to personalize all of them. This result implies that the super 
single mode is optimal in the absence of errors. 

4 Error Recovery 

The control objective for the smart card personalization machine is to personalize 
cards in the right order even in the presence of errors. The super single mode, 
as explained above, only works for a perfect machine that makes no errors. In 
general, it is difficult to prevent errors from occurring (even though errors are 
rare, approximately 1 in 6000 cards), and so it makes our approach more realistic 
if we allow for the occurrence of errors in our model, and provide a means of 
recovering from them. 

There are several methods to achieve fault-tolerant behavior. Our approach is 
inspired by the concept of self-stabilization [6, 20], which is well-known from the 
area of distributed algorithms. An algorithm is called stabilizing if it eventually 
starts to behave correctly (i.e., according to the specification of the algorithm), 
regardless of the initial configuration. 

Figure 3 shows the production cycle of the personalization machine under 
the super single mode. In the normal mode of operation the machine loops on 
the super single mode cycle (the continuous line). This loop is also shown in 
Table 2 with actual figures. The configurations of the machine at time 9, 10, 11, 
12, 13 are equivalent (personalization value modulo M = 4) to the configurations 
at time 14, 15, 16, 17 and 18 respectively. Thus the super single mode enters the 
loop at time 9 and loops forever with a period of 5 time units. 

However, when an error occurs (dashed line in figure 3), an error recovery 
treatment (dotted line) should be conducted to stabilize the system and bring 
it back to the loop. We use SMV to synthesize an error recovery treatment that 
brings the machine back to the loop. Basically, our approach is as follows: 




Fig. 3. Stabilization of the smart card personalization system 
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Fig. 4. Expanded model of the smart card personalization machine 



1. Use SMV to synthesize a regular super single mode run, as described in the 
previous section. 

2. Pick a state on this run and manually introduce an error; the new error 
state s now becomes the start state of the model. 

3. Pick an arbitrary state t on the super single mode cycle, and encode this as 
an SMV state formula (p. 

4. Ask SMV whether the following formula holds 

AG^t^. (3) 

If formula (3) does not hold then SMV generates a counterexample; this 
counterexample is the schedule for a recovery operation that brings the sys- 
tem from state s back into super single mode. 

Note that, unlike the theory of self-stabilization, we do not consider arbitrary 
initial configurations, but only configurations that have been obtained by intro- 
ducing a single error into a super single mode configuration. 



4.1 Types of Errors 

It is easy to list many scenarios that can make the system behave erratically. In 
this paper we will only consider errors that may occur in the card. That is: 

1. Type 1 errors (El) are errors in a smart card originating from physical 
damage or other reasons. This type of error is detected by the personalization 
stations. In El^ and EU in Table 3 are examples of El error. 

2. Type 2 error (E2) are errors originating from the personalization station 
when cards are personalized wrongly, which makes them unusable. This type 
of error is detected by a tester situated at the end of the personalization 
stations. E2a in Table 3 is an example of E2 error. 

To make our system recoverable from these errors, we will modify our model 
in two ways: by adding extra operations and by expanding the belt in both 
directions. 
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Table 3. The super single mode for 8 personalization stations with error. Only card 
values in station is shown 
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4.2 Recovery Operations 

If a defective card is detected in the tester then, in order to maintain correctness 
(i.e., produce personalized cards in the right order), the defective card has to 
be removed, a replacement card has to be produced, and inserted in the right 
position. In order to realize this, first the defective card has to be swept off the 
belt, and then the belt has to go back to one of the personalization stations to 
retrieve a replacement card and place it in the right position. For these purpose 
we enrich our model with ‘backward’ and ‘sweep’ operations. 

The backward move is the same as the forward move except that it moves 
the belt in the opposite direction. The forward move is the “normal” way of 
moving the belt, the backward move is used only to handle defective cards [2]. 
We assume that a backward move takes 1 time unit per step. 

When the belt moves backward, the leftmost cards on the belt are also pushed 
back to the edge. For technical reasons explained in [2], the preferred way of 
treatment is to expand the belt to the left. As shown in Figure 4, the gap 
between the input station and the first personalization station, denoted by d.^ 
(0 < i < D, D = M) , is important for backward movement. Similarly, the belt 
is also expanded to the right: N (= M+2) covers the extended slots in the right 
side. 



200 Biniam Gebremichael and Frits Vaandrager 



Table 4. Safety requirements for belt operations 



Operation 


Safety requirements 


meaning 


backward 


do < 0 


no processed card reaches input station, 
unprocessed (new) cards can return 
back to the input station 


forward 


ajv-i = out V 
ajv-i = -2 


no unexpected card reaches 
the tester station 


sweep 


UM = K 


only defective cards are swept 



A sweeper is a device that kicks defective cards from the belt. In the physical 
machine, a sweeper is situated after the personalization station. Formally the 
sweep operation is defined as: 

module sweep (a) { 

if(a[M]=K) next (a [M] ) : =-2 ; 

> 

4.3 Safety Requirements 

During the stabilization process, the machine executes operations that are not 
performed in super single mode. Even if the machine is allowed to perform these 
special operations, there are some safety requirements that have to be obeyed 
by the control program. These are shown in Table 4. Complete SMV code for 
error recovery treatment is given in [8] . 

4.4 Results 

For a single error scenario as defined above, there are 2.M possible error config- 
urations in one cycle of the super single mode. Using these error configurations 
as an initial state and the formula (3) we generated a recovery path that could 
stabilize the system back to the super single mode. Obviously, each path is dif- 
ferent for different initial state, however, they share similar pattern. Thus we 
groups similar paths together and explain their property below. 

1. When the error type is El and the faulty card was detected in the first half 
stations {bf. 0 < i < [^\), then the faulty card remain in the station until 
a free slot is available. And the personalization value remains unused until 
next. For example When the faulty card Ela in Table 3 was detected the 
personalization value (which is 9) was used in station 2 

2. Using the same technique, for El errors in the second half stations {bi: < 

i < M—1) will not solve the problem, instead it will introduce another error. 
The generated recovery path for this scenario is to skip the personalization 
value for now and let the error evolve to E2 error. The personalization value 
(6) of Elf, in Table 3 was skipped and Elf, will be again an error of type E2 
at time 24. 
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Table 5. Defective card treatment for error type 2 
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□ 
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38 
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3. The recovery path for E2 errors consists: 

— finding a station with a fresh card, this station should be in the first half. 
Otherwise an error like Elf, will happen again. See also Example 1. 

— rolling the belt backward to this station, 

— personalizing the card with the personalizations value which is missing, 
and 

— dropping the card to the belt and forward it to the tester. 

Example 1. In Table 5, at time 23 the 5*^ card is found defective. At the same 
time station 6 starts with a fresh card. If a replacement card would be produced 
in this station, then personalization number 14 would be skipped. But this will 
introduce another error, because the 16*^ and 17*^ cards are already in prepa- 
ration and they can not be altered. Instead we can produce the card in the next 
station (station 2) that becomes available. 

4.5 Cost of Error Recovery 

An upper bound on the number of time units spent recovering from an error can 
be calculated as follows. 

1. Once an error is detected by the tester, one step forward may be necessary 
if it is an error like in Example 1. 

2. To reproduce a replacement card we will require S = M time units, during 
this time the belt rolls back to the station. 

3. Once the card is reproduced, it will take another M time units for the new 
card to reach the tester. In practice the belt can move forward faster than M 
time units, and the time spent to reach the tester will be smaller. 

Thus, based on the above observation, 2.M + 1 time units are required in the 
worst case to recover from a single error. It is possible to tighten this upper 
bound by introducing fast forward and fast backward moves. 
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5 Conclusions 

Using SMV, we rediscovered the super single mode that has previously been 
patented by Cybernetix. This result gives us a new evidence that model checking 
can also be useful as a design aid for new machines. Our approach also allowed 
us to generate defective card treatments, that may arise due to damaged cards 
and wrong personalization. The present work shows error treatments for single 
error, we believe the same technique can be easily extended to multiple error 
treatment. In this way, using model checking, we go beyond scheduler synthesis 
and actually solve a control synthesis problem. 

The input language of Cadence SMV is sufficiently expressive to encode in 
a natural and compact way a simplified model of the personalization machine. 
However, safety and liveness properties for multiple error treatments (of single 
or multiple types) are complicated to express in temporal logic, especially when 
dealing with the uncontrolled plant. Nevertheless, by decreasing the degree of 
uncontrollability of the plant, we believe multiple errors can be handled and 
more complex discrete time models of the actual Cybernetix design (including 
the controller) can be described. 

A possible disadvantage of our approach is that the SMV descriptions are 
difficult to understand for people who are not familiar with formal methods 
(unlike say Petri nets). However, a clear advantage is that our description can 
serve directly as input for a powerful model checker. 
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Abstract. In this paper we report some progress in applying timed 
automata technology to large-scale problems. We focus on the problem 
of finding maximal stabilization time for combinational circuits whose 
inputs change only once and hence they can be modeled using acyclic 
timed automata. We develop a “divide-and-conquer” methodology based 
on decomposing the circuit into sub-circuits and using timed automata 
analysis tools to build conservative low-complexity approximations of 
the sub-circuits to be used as inputs for the rest of the system. Some 
preliminary results of this methodology are reported. 



1 Introduction 

It is well known that timed automata (TA) [AD94] are well suited for modeling 
delays in digital circuits [D89, L89, MP95]. Although some applications of TA 
technology for solving timing-related problems for such circuits have been re- 
ported [MY96, BMPY97, TKB97, TKY~98, BMT99, B,JMY02], the state- and 
clock-explosion associated with such models, restricted the applicability of TA 
to small circuits. In this work we try to treat larger combinational circuits by 
using the old-fashioned recipe of abstraction and approximation. When viewed 
from a purely-functional point of view, combinational circuits realize instanta- 
neous Boolean functions. However, when gate delays are taken into account, the 
computation of that function is not considered anymore as an atomic action 
but rather as a process where changes in the inputs are gradually propagated 
to the outputs. The question of finding the worst-case propagation delay of the 
circuit, that is, the maximal time that may elapse between a change in the in- 
puts and the last change in the outputs, is of extreme practical importance as 
it determines, for example, the frequency of the clock with which a circuit can 
operate. Static techniques currently practiced in industry are based on finding 
the longest (in terms of accumulated delays) path from inputs to outputs in the 
circuit. While these bounds are easy to compute (polynomial in the size of the 
circuit), they can be over pessimistic because they abstract from the particular 
logic of the circuit which may prevent such longest paths from being exercised.^ 

* This work was partially supported by a grant from Intel and by the European Com- 
munity Projects IST-2001-35304 AMETIST (Advanced Methods for Timed Sys- 
tems), http : //ametist . cs .utwente.nl 

^ A lot of effort has been invested in the problem of detecting such “false paths” . 
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On the other hand, models based on timed automata do express the interaction 
between logic and timing and hence can lead to more accurate results. Alas, 
TA-based techniques are still very far from being applicable to industrial-size 
circuits. 

The present paper attempt to find a better trade-off between accuracy and 
tractability by using timed automata as an underlying semantic model and by 
applying abstraction techniques to parts of the circuit in order to build for them 
small over-approximating timed automata that can be plugged as inputs to other 
parts of the circuit. Our abstraction technique takes advantage of the acyclic 
nature of the circuits and their corresponding automata, which implies, among 
other things, that every variable changes finitely many times before stabilization 
in every run of the automaton. 

The rest of the paper is organized as follows: in Section 2 we give a formal 
definition of circuits, their “languages” and the maximal stabilization time prob- 
lem. In section 3 we explain the modeling of such circuits as timed automata. 
Section 4 is devoted to our abstraction technique, its properties and the way it 
is implemented using the tools IF /Kronos and Aldebaran. Preliminary experi- 
mental results are reported in Section 5 followed by a discussion of related work 
and future directions. 



2 Timed Boolean Circuits 

Throughout this paper we restrict ourselves to acyclic circuits. 

Definition 1 (Boolean Circuits). A Boolean circuit is C = where 

V is a set of nodes, is an irrefiexive and anti- symmetric binary relation and F 
is a function that assigns to every non-input node v a Boolean function Fy. 

Here v v' means that v influences v' directly. The transitive closure of 

induces a strict partial order (V,'^) where the minimal elements are called 
input nodes and are denoted by 14. The rest of the nodes are called non-input 
nodes and denoted by I 4 . A subset 14 of V consists of output nodes, those that 
are observable from the outside. An example appears in Figure l-(a). The set 
of immediate predecessors of a node is tt{v) = {v' : v' v} and the set of its 
predecessors (backward cone) is tt*{v) = {v' : v' ri}. 

By substitution we define for every node v a function Gy defined on the 
inputs in its backward cone. We will use X = Y = and Z = to 
denote the sets of possible assignments to input, non-input and output nodes, 
respectively. The whole circuit can be viewed as computing a function G : X ^ 
Y. The stable state of the circuit associated with an input vector x S X is 
y = G(x). 

This concludes the formalization of Boolean circuits and their functions. 
These functions are instantaneous with no notion of time. The next step is to 
lift them to functions (operators) on signals, that is, on functions that specify 
the evolution of a value over (continuous) time. 
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(a) (b) 

Fig. 1. ( a) A Boolean circuit; (b) A timed Boolean circuit 



Definition 2 (Signals). Let A be a set and let T = K+ be a time domain. 
An A-valued signal over T is a partial function a : T A whose domain of 
definition is an interval [OjT) for some r gT. 

We use a[t] to denote the value of a at t. When A is finite, signals are piece wise- 
constant and make discontinuous jumps at certain points in time. This is for- 
malized as follows. The left limit of a signal a at time t is defined as a[t~] = 
lim('_,i a[f]. For every piecewise-constant signal a we define: 

— The ordered set of jump points, ff{a) = {t : a[t~] ^ oft]} = {to,ti , . . .}. 

— The set of maximally-uniform intervals T(a) = {/i,/ 2 ,...} where li = 
\ti—\,tf^ for ti—±,ti LL 

Clearly, the value of a is uniform over any subset of a maximally-uniform interval. 
We restrict our attention to well-behaving signals i.e. those for which ff{a) has 
finitely-many elements in any finite interval. We denote the set of A-valued 
signals by 5(A). 

When a gate or any other I/O device gets a signal as an input, it transforms 
it into an output signal. This is captured mathematically by what is called 
a transducer, or a signal operator, a function that maps signals to signals. We 
restrict such functions to be causal, that is, the value of the output at time t can 
depend only on the value of the input in times [0, t] and not on later values. The 
simplest type of operators are memoryless (instantaneous) operators defined as 
follows. 

Definition 3 (Memoryless Operators). A memoryless signal operator is 
a function f : 5(A) — > S{B) obtained as a pointwise extension of a function 
f \ A ^ B, that is, f3 = f{a) if f3[t] = /(a[t]) for every t in the domain of a. 

In reality, since gates are realized by continuous physical processes, it takes 
some time to propagate changes from input to output ports. To define this phe- 
nomenon mathematically we need the basic operator with memory for discrete- 
valued signals, the delay, which takes a signal and “shifts” it in time. One can 
define a variety of delay operators differing from each other in complexity and in 
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t 2 t -f- t 3 

Fig. 2. An input signal a and few of the elements of -D[2,3](0, a) 



physical faithfulness. The class of models that we consider is called bi-bounded in- 
ertial delays [BS94] and is characterized by an interval I = [I, u] which gives lower 
and upper bounds on the propagation delay. For the purpose of this paper we 
will use the model introduced in [MP95] but since the choice of the delay model 
is orthogonal to the rest of the methodology we will defer the exact definition of 
the operator to Section 3 where it will be defined in terms of its corresponding 
timed automaton and use meanwhile a general semi-formal definition. 

Definition 4 (Delay Operators). A delay operator is a non- deterministic 
function of the form Dj : A x 5(A) — > where I = [l,u] is a parameter of 

the operator with I > 0. A signal (3 is in Aj(b, a) if 

1. The value of (3 is b at the initial interval [0,t)/ 

2. Changes in a are not propagated to (3 before I time elapses; 

3. Changes in a must be propagated to f3 if they persist for u time; 

4- Changes in a that persist for less then I time are not propagated at all to (3. 

Figure 2 illustrates such an operator which, typically, will have uncountably- 
many output signals for an input signal. All signal operators can be lifted natu- 
rally into operators on sets of signals. 

A timed circuit model is obtained from a Boolean circuit by connecting the 
output of every non-input node to a delay operator which models the delay 
associated with the computation of that node (see Figure l-(b). In other words, 
a gate with a propagation delay is modeled as a composition of a memoryless 
Boolean operator and a delay operator (see [MP95]). 

Definition 5 (Timed Boolean Circuits). A timed Boolean circuit is C = 
(y,'^,F,I) where is a Boolean circuit and I is a function assigning 

to every non-input node v a delay interval ly = [lv,Uy] with 0 < ly < Uy < oo. 

The semantics of a timed circuit is given in terms of a non-deterministic 
transducer Fc '■ Y x S(X) — > such that (3 G Fc{y,a) if a and (3 satisfy 

the set of signal inclusions associated naturally with the circuit [MP95] and y is 
the initial state of the non-input part of the circuit. 

The stabilization time problem is motivated by the use of Boolean circuits in 
synchronous sequential machines (the hardware name for automata) . At the be- 
ginning of every clock cycle new input values together with the values of memory 
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elements (computed in the previous cycle) are fed into the circuit and the changes 
are propagated until the circuit stabilizes and the clock falls. The “width” of the 
clock needs to be large enough to cover the longest possible stabilization time of 
the circuit over all admissible inputs. In our modeling approach we will consider 
primary inputs that change at most once and within a bounded amount of time 
and hence, due to acyclicity and the finite upper-bounds associated with the 
delays, they induce finitely many changes throughout the circuit. 

Definition 6 (Ultimately- Constant Signals). A signal a is ultimately- 
constant (u.c.) if it has a finite number of jump points (i.e. there is some time t 
such that the signal remains constant after t). The minimal such t for a is called 
its stabilization time and is denoted by 9{a). This definition extends to sets of 
signals by letting 0{L) = max{0(a) : a G L}. 

The following properties hold for every u.c. signal a: 

1. The signal /(a) is also u.c. for every Boolean function /. 

2. For a delay operator Dj with I = [l,u] and for every (3 G Dj{a), 9{(3) < 
9{a) + u. 

Consequently, u.c. inputs to acyclic timed circuits produce u.c. outputs. Constant 
signals constitute a special class of u.c. signals and we will use ox to denote 
a signal whose value is constantly x. 

We can now define the problem of maximal stabilization time of a circuit 
with respect to a pair of input vectors x and x' where x is the input presented 
in the preceding cycle, and which determines the initial (stable) state, and x' is 
the value of a new constant signal. We denote by L{C, x, x') the set of T-signals 
(3 G Fc{y, ox') when the circuit is initialized with the stable state y = G(x). 

Definition 7 (Stabilization Time of a Circuit). Given a timed Boolean 
circuit C = F, I) and two input vectors x,x' G X the stabilization time 

associated with (x,x') is 0(G, x,x') = max{0(/3) : (3 G L(G, x,x')} and the 
maximal stabilization time of the circuit is 9(C) = max{0(G, x, x') : x,x' G X}. 



3 Modeling with Timed Automata 

Timed automata are automata augmented with continuous clock variables whose 
values grow uniformly at every state. Clocks can be reset to zero at certain transi- 
tions and tests on their values can be used in conditions for enabling transitions. 

Definition 8 (Timed Automaton). A timed automaton is A = {Q,C,I,A) 
where Q is a finite set of states, C is a finite set of clocks, I is the staying 
condition (invariant), assigning to every q G Q a conjunction Iq of inequalities 
of the form c < u, for some clock c and integer u, and A is a transition relation 
consisting of elements of the form (q, <j), p, q') where q and q' are states, p C C 
and (j) (the transition guard) is a conjunction of formulae of the form (c > 1) for 
some clock c and integer 1. 
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A clock valuation is a function \ : C K+ U {0} and a configuration of the 
automaton is a pair {q, v) consisting of a discrete state (location) and a clock 
valuation. Every subset p C C induces a reset function Resetp on valuations 
which resets to zero all the clocks in p and leaves the other clocks unchanged. 
We use 1 to denote the unit vector and 0 for the zero vector. We will 

use the term constraints to refer to both guards and staying conditions. A step 
of the automaton is one of the following: 

— A discrete step: (g, v) — ^ (g',v'), for some transition S = {q,(j),p,q') G A, 
such that V satisfies 4> and v' = Resetp (v). 

— A time step: (g, v) — ^ (g, v + tl), t G K+ such that v + tl satisfies Iq. 

A run of the automaton starting from a configuration (go, vq) is a finite sequence 
of steps 

(go,Vo) ^ (gi,vi) ^(gn,v„). 

We model timed circuits as a composition of timed automata such that each 
automaton may observe the states of other automata and refer to them in its 
transition guards and staying conditions.^ The automaton for a Boolean gate of 
the form y = f{xi,X 2 ) is just a trivial one-state automaton that has self-looping 
transitions for all tuples (xi,a: 2 ,y) that satisfy the equation. In fact, this is not 
really an automaton but an instantaneous logical constraint that must always be 
satisfied. The automaton for the delay operator D[z,u] (Figure 3) has four states, 
0, O', 1, 1'. The 0 and 1 states are stable, that is, the values of the output of 
the delay is consistent with its input x. When at state 0, if the input changes 
to 1, the automaton moves to an unstable state 0' and resets a clock C to zero. 
It can stay at 0' as long as C < u and can switch to stable state 1 as soon as 
C > /. If the input changes back to 0 before the transition to 1 the automaton 
returns to 0. We call these three types of transitions excite, stabilize and regret, 
respectively. Note that states 0 and 0' are indistinguishable from the outside 
and another automaton will see a change from 0 to 1 only after the “stabilize” 
transition. 

Composing all the automata, together with the model of their inputs we ob- 
tain a closed automaton as in Definition 8 whose semantics is identical to that of 
the timed circuit [MP95]. To be more precise, an automaton whose semantics is 
L{C, X, x') is obtained by letting the initial state be the stable state correspond- 
ing to G(x) and composing it with a static automaton for the input x'. The 
obtained automaton is acyclic and all paths converge in finite time to the only 
stable state that corresponds to G(x'). The maximal stabilization time is hence 
the maximal time that the automaton can stay in any unstable state. Note that 
in such a state at least one of the components is in a 0' or 1' state and hence its 
staying condition forces it to leave the state. 

We recall some definitions commonly-used in the verification of timed au- 
tomata [HNSY94, Y97, LPY97, BDM+98, A99]. A zone is a set of clock valua- 
tions consisting of points satisfying a conjunction of inequalities of the form Ci — 

^ To avoid over-formalization we do not define “open” interacting automata. Such 
definitions can be found in [MP95]. 
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Fig. 3. The timed automaton for a delay element. The x variable refers to the observ- 
able state of the input automaton which is 0 at {0, 0'} and 1 at {1, 1'} 



Cj > d or Ci > d. A symbolic state is a pair (g, Z) where g is a discrete state 
and Z is a zone. It denotes the set of configurations {(g, z) : z € Z}. Symbolic 
states are closed under the following operations: 

— The time successor of (g, Z) is the set of configurations which are reachable 
from (g, Z) by letting time progress without violating the staying condition 
of g: 

Post*{q, Z) = {(g,z 4- rl) : z e Z, r > 0, z -|- rl € /,}. 

We say that (g, Z) is time-closed if (g, Z) = Post*{q, Z). 

— The 5-transition successor of (g, Z) is the set of configurations reachable 
from (g, Z) by taking the transition 6 = (g, (j), p, q') e A\ 

Post^{q, Z) = {(g',Resetp(z)) : z e Z D (j)}. 

— The 5-successor of a time-closed symbolic state (g, Z) is the set of configu- 
rations reachable by a (5-transition followed by passage of time: 

Succ^{q, Z) = Post^{Post^ {q, Z)). 

The forward reachability algorithm for TA starts with an initial zone and gener- 
ates all successors until termination, while doing so it generates the reachability 
graph (also known as the simulation graph). 

Definition 9 (Reachability Graph). The reaehability graph assoeiated with 
a timed automaton starting from a state s is a direeted graph S = (A^, ^) sueh 
that N is the smallest set of symbolic states eontaining Post^{s, {0}) and elosed 
under Succ^ . The edges are all pairs of symbolic states related by Succ^ . 
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The fundamental property of the reachability graph is that it admits a path from 
{q,Z) to {q\ Z') if and only if for every v' € Z' there exists y G Z and a run of 
the automaton from (g, v) to (g',v'). Hence the union of all reachable symbolic 
states gives exactly the reachable configurations. 

To compute the maximal stabilization time we add an auxiliary clock T 
which is never reset to zero and hence in every reachable configuration its value 
represents the total time elapsed since the beginning of the run. The maximal 
value of T over all reachable symbolic states (g, Z) with g unstable is the maximal 
stabilization time (note that due to acyclicity the value of T is bounded in 
all unstable states). Hence, the problem of maximal stabilization time can, in 
principle, be solved using standard TA verification tools. 



4 The Abstraction Technique 

Given the complexity of TA verification we move to an abstraction methodology 
based on the following simple idea. We decompose the circuit into sub-circuits 
small enough to be handled completely by TA verification tools. We take the 
automaton A which corresponds to such a sub-circuit and use its reachability 
graph to construct an automaton A having two important properties: 

1. The set L{A) of signals that it generates is a reasonable over-approximation 
of the projection of L{A) on the output variables of the sub-circuit. 

2. It is much smaller than A in terms of states and clocks. 

Hence if we replace A by A as a model of the sub-circuit we are guaranteed 
to over-approximate the semantics of the circuit and hence to over-approximate 
the stabilization time. 

To better understand the technique it is worth looking at the reachability 
graph from a different angle. In timed automata, as in any other automata 
augmented with auxiliary variables, the transition graph is misleading because 
a discrete state stands for many possible clock valuation which may differ in the 
constraints they satisfy and hence in the behaviors that can be generated from 
them. It might be the case that a state g will never be reached with a clock 
valuation satisfying some transition guard and hence the corresponding transi- 
tion will never be taken. By performing the reachability algorithm for A starting 
from an initial state we obtain a graph which represents the “feasible part” of 
A, excluding behaviors that violate timing constraints. Figure 5-(a) shows the 




(a) 



(b) 



Fig. 4. Projection on the absolnte time introduces spurious runs 
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reachability graph for the circuit of Figure l-(b) where the inputs change from 
(0, 1) to (1,0). In fact the reachability graph can serve as a skeleton of another 
timed automaton whose semantics in terms of runs is equivalent to that of A. 
To see that, one just has to associate with each symbolic state (g, Z) the staying 

condition Z and label each transition (q, Z') — ^ (q', Z’') by the guard and reset 
of 8. The resulting automaton Al differs from A in two aspects: certain states of 
A are split into several copies according to clock values, and all transitions that 
are not possible in A due to timing constraints do not appear in Al at all. 

Now if we relax some timing constraints in Al we may introduce spurious 
behaviors that violate these constraints, however we will not add any new qual- 
itative behavior (sequence of events) that was not possible in A because such 
behaviors have already been eliminated while computing the reachability graph. 
The most straightforward way to relax timing constraints is to project the con- 
straints on a subset of the clocks and discard the rest. In particular if we throw 
away all clocks except T which measures the absolute time, the relaxed guard 
for any transition will be of the form T S [^ 1 ,^ 2 ]- Clearly, a transition can be 
taken in the new automaton iff there is a run of the original automaton in which 
the corresponding transition could be taken at some time t G [^ 1 ,^ 2 ]- However, 
this abstraction can add additional runs which are impossible in the original au- 
tomaton as the following example shows. Consider the automaton of Figure 4-(a) 
where the first transition could take place in [Zi,ui] while the second can take 
place between I 2 and U 2 after the occurrence of the first. Applying the above 
procedure we obtain the automaton of Figure 4-(b) where the second transition 
could be taken anywhere in [li 12 , ui U 2 ] regardless of the time of the first. 

The next step is to hide transitions which are not observable from the outside, 
i.e. all transitions of non-output variable and all non- visible transitions (“excite” 
and “regret”) of the output variables y 2 and z. The one-clock automaton thus 
obtained for our example appears in Figure 5-(b). We then apply a minimization 
algorithm which merges states that are indistinguishable with respect to the 
remaining visible transitions. More formally we consider the congruence relation 
~ on the nodes of the labeled reachability graph defined as the largest relation 
satisfying: 



qi ~ q 2 iff V5 , 1 qi 



(S.I) 



Qi 



(3^2 s.t. q 2 



(S.i) 






Qi 



92 ). ( 1 ) 



Here {S, I) stands for a transition-interval pair and r* to an arbitrary sequence of 
unobservable transition. This relation is the “safety bisimulation” of [BFG"*'91]. 
The minimized automaton, whose states are congruence classes of ~, can be seen 
in Figure 6- (a). 

Relation (1) looks at transition labels in a purely-syntactic manner, that is, 
the label — 2 / 2 [20, 30] in Figure 6-(a) is considered distinct from — j/2[20,40] and 
hence the transitions are not merged. To obtain a more aggressive abstraction 
we define a weaker equivalence that ignores differences in intervals: 



qi 



q2 iff V5, / qi 



(S,I) 



qi^{^q 2 J' s.t. 






92 



<?2 



Aq[-q2)- ( 2 ) 
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Table 1. Maximal stabilization time for all input pairs for the circuit of Figure 8 



X 


00 


01 


10 


11 


x' 


10 


01 


11 


11 


00 


10 


00 


11 


01 


01 


10 


00 


stab-time 


510 


340 


CO 

o 


170 


510 


425 


510 


0 


255 


255 


0 


510 



The states of the minimized automaton are equivalence classes of and the 
transitions between these classes are labeled by (5, 1) where I is the join (convex 
hull) of all the intervals h such that there are transition labeled by (5, li) between 
elements of the corresponding classes (see Figure 7).^ The result of minimization 
with respect to appears in Figure 6-(b) and one can see that it gives a succinct 
over-approximation of the behavior of y 2 and z. 

We have implemented the above mentioned technique. Our tool chain starts 
with a circuit description as Boolean equations with delays and generates from 
it automatically a network of interacting timed automata written in the IF for- 
mat [BGM02]. After generating the reachability graph with the interval labels 
we apply the Aldebaran tool set ([BFKM97]), slightly modified to implement 
minimization with respect to to obtain the abstract model. 

5 Experimental Results 

We have conducted some preliminary experiments with our approach on some 
sample circuits that we have constructed. First, to demonstrate the semantic 
advantage of timed automata we analyzed the circuit of Figure 8 which has 
a false path. We use delays of [83,85] for all gates (except the inverters that 
have zero delay) and compare our results with static timing analysis which gives 
stabilization time of 7 x 85 = 594. Since our method works is currently restricted 
to one pair of input vectors, we repeat the analysis for all 12 pairs and obtain 
the results of Table 1. As one can see, the TA-based analysis discovers that the 
maximal stabilization time is only 6 x 85 = 510. 

The major set of experiments was conducted on circuits consisting of a se- 
quential concatenation of an increasing number of copies of the circuit of Fig- 
ure l-(a) (the 2/3 and m of stage n are the x\ and X 2 of stage n+1). We assume 
that input xi may rise anywhere in [10,35] and X 2 in [15,63]. In general, the 
complexity of the reachability graph is sensitive to the choice of delay bounds: 
for an interval [l,u], the larger is the ratio (it — l)/l, more “scenarios” are possi- 
ble and transitions at “deep” gates can precede transitions in gates closer to the 
input. Table 2 shows the performance of our technique (computation time and 
size of the reachability graph) as a function of the number of stages for three 
choices of gate delay intervals [1,2], [10, 12] and [100, 102]. All the experiments 

^ Another choice might be to join only intervals that have a non-empty intersection. 

^ In fact, if we assume no lower-bound on the delay (the “up-bounded” model 
of [BS94]), events can happen in any order. 
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Fig. 5. ( a) The reachability graph for the circuit of Figure l-(b). The transition 

labels exc z, reg z, +z and -z correspond, respectively, to excitation, regret, rising 
and falling of the variable z. (b) The corresponding one-clock automaton after hiding 
internal transitions. The label +z [20 , 30] means that z may change from 0 to 1 anytime 
inside the interval [20, 30] 
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(a) 



(b) 



Fig. 6. (a) The results of applying standard minimization, (b) The result of mini- 

mization with interval fusion 




Fig. 7. Minimization by joining intervals 




Fig. 8. A circuit with a false path 
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Table 2. Testing our technique with varying delay bounds. The ‘states’ column indi- 
cates the number of symbolic states in the model of stage n before the last minimization 
and the ‘min’ columns indicate the number of states after minimization. The ‘time’ col- 
umn indicates the time for computing the abstraction of all stages up to n — 1 and the 
reachability graph for stage n 
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were stopped upon memory overflow (1GB). For the [100, 102] interval we were 
able to analyze up to 22 stages (88 gates). 

As the results show, currently the analysis of circuits with few dozens of gates 
for one pair of input vectors is feasible using our technique. This is a significant 
improvement for TA technology but still a small step toward industrial-size cir- 
cuits. The current bottleneck is the memory consumption while generating the 
reachability graph and we believe the situation can be improved significantly if 
we modify the algorithm to take advantage of the acyclic nature of the automa- 
ton. 

6 Discussion 

There have been numerous publications on abstraction in general and abstrac- 
tion of timed systems in particular, e.g. [AIKY95, WD94, B96, PCKPOO], some 
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based on relaxing the timing constraints and refining them successively if the 
abstract system cannot be verified. In [TAKB96] an assume-guarantee frame- 
work is defined for timed automata, which is used later to verify a multi-stage 
asynchronous circuit [TB97] by using small abstractions for each stage. These 
abstractions are generated manually. The closest work to ours is [ZMM03] which 
uses timed Petri nets for describing circuits and their desired properties. To 
abstract a circuit they apply “safe transformations” that consist of hiding of in- 
ternal actions and clocks, and possibly over-approximating the set of behaviors. 
This work does is not specialized to acyclic circuits and the formal properties of 
the abstraction (defined in terms of trace theory) seem to be more complicated. 
Other attempts to solve the maximal stabilization time using TA are reported 
in [TKB97, TKY-98]. 

Due to space limitation we do not discuss here possible variation of the 
techniques such as different abstraction styles, nor other important ingredients 
of the methodology such as the partitioning strategy. The adaptation of the 
technique to cyclic circuits and to open systems in general is a very challenging 
goal whose achievement can have a big impact on the design of timed systems. 
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Abstract. This text is dedicated to modelling of real-time applications running 
under multitasking operating system. Theoretical background is based on timed 
automata by Alur and Dill. As this approach is not suited for modelling pre- 
emption we focus on cooperative scheduling. In the addition, interrupt service 
routines are considered, and their enabling/disabling is controlled by interrupt 
server considering the specified server capacity. The server capacity has 
influence on the margins of the computation times in the application processes. 
Such systems, used in practical real-time applications, can be modelled by 
timed automata and further verified since their reachability problem and model 
checking of TCTL problem is decidable. Use of this methodology is 
demonstrated on the case study. 



1 Introduction 

The aim of this article is to show, how timed automata [1] can be applied to modelling 
of real time software applications running under operating system with cooperative 
scheduling. The application under consideration consists of several process, it 
includes mechanisms for interrupt handling, and it uses inter-process communication 
primitives like semaphores, queues etc. Model checking theory based on timed 
automata and implemented in model checking tools (e.g. UPPAAL[2]) can be used 
for verifying time parameters or safety and liveness properties of proposed models. 

Timing analysis of software (especially with concurrency and synchronisation) is 
not trivial problem and it requires sophisticated methods and analysis tools. Several 
special purpose methods have been developed in the area of real time scheduling 
[3], [7]. These methods, e.g. rate monotonic analysis (RMA) [4], are very successful 
for analysis of systems with periodic processes. To deal with non-periodic processes, 
the standard method is to consider the non-periodic process as the periodic one using 
the minimal inter-arrival time as process period. The analysis based on such model is 
too pessimistic in some cases since inter-arrival times can vary over time [13]. 
Incorporation of inter-process communication primitives leads to pessimistic results 
as well since it does not model any internal process structure and therefore worst-case 
blocking time must be considered, even though it can never occur (see section 7). 

To achieve more precise analysis, process models allowing more precise and 
complex timing constraints are needed. In [13] the timed automata are extended by 
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asynchronous processes (i.e. processes triggered by events) to provide model for 
event-driven systems, which is further used for schedulability analysis. Processes (in 
[13] called tasks) associated to locations of timed automaton are executable programs 
characterised by its worst-case execution time, deadline and other parameters for 
scheduling (e.g. priority). Transition leading to a location in such automaton denotes 
an event triggering the process and the guard on transition specifies the possible 
arrival times of the event. Released processes are stored in a process queue and they 
are assumed to be executed according to a given scheduling strategy. Both non- 
preemptive and preemptive scheduling strategies are allowed. Such modell can deal 
with non-periodic processes in more accurate manner than RMA. Moreover there is a 
possibility to model internal process structure as it is shown in section 2, but the 
computation time of modelled blocks of code cannot vary. 

This drawback is overcome by more detailed process model proposed in [9] 
providing a method for constructing models of real time Ada tasking programs. Time, 
safety or liveness properties of produced model based on constant slope linear hybrid 
automata can be automatically analysed by HyTech verifier. The state of the hybrid 
automaton consists of various state variables representing an abstraction of program's 
state and it contains also continuous variables used to measure the amount of 
processor time allocated to each process. A transition of the hybrid automaton 
represents execution of the sequential code segment. The timing constraints of the 
transition are derived from the time bounds of the corresponding code. Even thought 
the author reports that the analysing algorithm does usually terminate in practice, the 
reachability problem for hybrid automata is undecidable in general. 

Hybrid automaton (or some of its subclass e.g. stopwatch automaton [10]) is 
needed to model premption since it is necessary to accumulate computing time of 
each process separately. The continuous variable used to measure the amount of CPU 
time allocated to each process must progress when the corresponding process is 
executed and must be stopped when the corresponding process is preempted. Such 
behaviour cannot be modelled by timed automaton that does not allow stopping of the 
clock variable (see [1]). 

Based on these observations we provide the model of real time system consisting 
of several concurrent processes scheduled by cooperative scheduler. Since the internal 
structure of the processes and the scheduler are modelled by timed automata, the 
model of the system is more accurate than the models used for schedulability analysis 
(RMA and timed automata extended by processes). Opposite to the model of the 
system with preemption based on hybrid automata, this approach has guarantied 
termination of verification algorithm due to decidability of reachability problem and 
model checking of timed computation tree logic (TCTL) problem. Moreover timed 
automata are one of the most studied models for real time systems and several model 
checkers are available (e.g. Kronos' and UPPAAL^ [2]) 

Preemptive schedulers are known to provide higher utilisation of processor than 
the cooperative ones [3]. On the other hand the processor utilisation is less important 
criterion when the schedulability can be proven for a given set of processes under 
cooperative policy. Moreover the cooperative scheduling has some advantages 
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important especially for hard real time applications where the highest reliability is 
required. In cooperative scheduling, process specifies when it is willing to release 
CPU to another process. Then it is easy to make sure that all data structures are in a 
defined state. Applications using cooperative scheduling are therefore easier to 
program and to debug. In this paper we present another important advantage of 
cooperative scheduling that is possibility to create mathematical model of the 
application based on timed automata and to verify its time, safety and liveness 
properties. 

The rest of this paper is organised as follows: section 2 illustrate on an example of 
scheduling anomaly that when one wants to make use of the internal process 
structure, then it is needed to consider also lower margins of computation times. 
Sections 3 and 4 represents a marginal part of this article. They deal with modelling 
of applications running under operating system based on cooperative scheduling. 
Since interrupt handling can play important role in such systems, they are taken into 
consideration in section 5. Section 0 illustrates an extension of proposed model by 
inter-process communication. Presented methodology and its comparison with RMA 
approach is demonstrated on case study in section 7. 

2 On Scheduling Anomaly in Multitasking Operating System 

Several multiprocessor time anomalies are known in the scheduling theory [3], [5], [7]. 
Similar non-linear behaviour (a shortening of the computation time leading to the 
prolongation of the completion time) can be found on one processor regardless the 
scheduling policy (preemptive or cooperative), when the processes contain 
computations, resource sharing and idle waiting (notice that the idle waiting is 
processed in parallel with computation of another process). 

Example depicted in Fig. 2.1 shows a high priority processes P-high and a low 
priority process P-low sharing one resource represented by a semaphore Sem. The 
processes consist of computations with specified deterministic computation time, of 
idle waiting with specified deterministic delay and of shared resource guarded by 
semaphore. The computation times and delays given behind slash are assumed to be 
constants. The computation time of CompC is C=2 in the instance a) or C=1 in the 
instance b). 

The semaphore is taken by P-high first in the instance a) regardless the scheduling 
policy (priority based preemptive or priority based cooperative). Consequently the 
process P-high is completed in 7 time units and the process P-low is completed in 9 
time units, see Fig. 2. 1 a). In the instance b), the semaphore is taken by process P-low 
first and consequently the process P-high is completed in 9 time units and the process 
P-low is completed in 10 time units, see Fig. 2.1 b). 

The shortening of the computation time in the process P-low (C shorted from 2 
to 1) leads to the prolongation of the completion time of both processes. As a 
consequence this example illustrates a necessity to consider also lower margins of 
computation times when process internal structure is modelled. 

This result is important to modelling process internal structure by timed automata 
extended by tasks [13]. Timed automata extended by tasks allow to model precedence 
constraints over tasks by boolean variables shared between tasks and automaton. 
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Therefore it is possible to model each process as timed automaton and to associate to 
its locations tasks representing corresponding computation. Precedence constraints are 
used to prevent starting of next computation before the previous one is finished. Since 
tasks associated to locations is characterised only by its worst-case computation time, 
some mechanisms must be used to prevent occurrence of anomalies described in this 
section. One solution can be to leave processor idling when some computation is 
finished sooner than it was supposed. 
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Fig. 2.1. Example of the monoprocessor scheduling anomaly 



3 Cooperative Scheduling Model 



Cooperative scheduling enables to deschedule currently executed process only in 
explicitly specified points, where the system call yieldQ is called or where the process 
is waiting. 

An example of the application process model is depicted in Fig. 3.1. There are 
four types of locations. Computation locations (Compl, Comp2, Comp3 for short) 
corresponding to non-preemptible blocks of code (the Computations do not contain 
any blocking operation). Each two successive Computation locations are separated by 
one Yield location corresponding to yield instruction where the process can be 
descheduled and then it waits until it is scheduled again. On WaitTimer location the 
process does not require the processor. WaitTimer location is followed by WaitProc 
location where the signalled process waits until it is scheduled. The double circle used 
for WaitTimer location specifies that this is initial location. 



Fnc_Process1 { 
while (TRUE) 

{ 

Compl 

yieldQ 

Comp2 

yieldQ 

Comp3 

Wait_End_of_Period 

}} 



Compl Yieldl 

w<=H1 Deschedule! 



Comp2 



Comp3 

w<=H3 



Schedule?^^^ w>=L1 Schedule?^/^ w>=L2 Schedule?^^ ~^ 



Signal! 
t>=Period L 



WaitTimer 

t<=Period_H 



Fig. 3.1. Model of the application process executed under cooperative scheduling policy 



As each part of the program modelled by Computation location cannot be affected 
by the preemption, its finishing time is equal to the computation time which is 
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supposed to be known a priory and bounded by interval (L,H) (lover and upper 
margins allow to involve uneertainty of execution time due to non-modelled code 
branching inside the computations, bus errors, cache faults, page faults, cycle stealing 
by DMA device, etc.)- 

The following behaviour of the cooperative scheduler is assumed: if the processor 
is free, the process with the highest priority among all processes in a queue of ready 
processes is scheduled. The currently executed process will run until it voluntarily 
relinquishes processor by calling system call yieldQ or until it is blocked. The model 
of the cooperative scheduler is created as the network of automata synchronised with 
application processes through synchronisation channels as depicted in Fig. 3.2. The 
scheduler chooses the highest priority ready process and enables its execution through 
Schedule channel. Deschedule channel is used to signal that the process relinquishes 
the processor (by yieldQ). The Block channel is used to relinquish processor on some 
blocking system call and the Signal channel announce that the blocking is finished 
and the process is ready to be executed on the processor. 



Application 



Scheduler 




Fig. 3.2. Synchronization of cooperative scheduler with processes 



One automaton of the cooperative scheduler model {Sch^ is depicted in Fig. 3.3. 




Fig. 3.3. One automaton Schj of the coopera- Fig. 3.4. Automaton wPriorQueue providing 
live scheduler in Fig. 3.2 reordering of queue Q 

Each process is identified by unique integer /D (0,1,2,...). Priority of the process is 
stored in global array P, indexed by ID. IDs of all processes, which are in Ready state. 
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are stored in the queue modelled as global array Q representing a eireular buffer. The 
integer nQ is the number of elements in the queue. The integer rQ is the position for 
reading of the first element in Q and the integer wQ is position of the first empty 
element in Q as is depieted in Fig. 3.2. Proeesses are ordered in deseending order 
aeeording to their priorities in Q (rQ points to the ready proeess with highest priority). 

As shown in Fig. 3.3 mutual exclusive access to Execution location is guarded by 
two-state variable Free. Moreover, only the highest priority process scheduler 
automaton (its ID is at the top of ready queue) can take transition from Ready to 
Execution location. To prevent processor idling, the transition from Ready to 
Execution location must be taken as soon as it is enabled. This is provided by 
declaring the channel Schedule as urgent channel (no time progress is enabled when 
there are some enabled transitions synchronised through urgent channel). The two 
unnamed locations with the letter C inside the circle are so called committed locations 
providing atomicity of traversing of in-coming and out-coming transitions (committed 
location must be left immediately without any interference of other automaton in the 
model). These locations are in Fig. 3.3 necessary only due to impossibility to use two 
synchronizations on one transition in UPPAAL. 

ID of the process leaving the Ready state is deleted from the ready queue by 
decrementing number of elements in the queue nQ and by moving reading pointer rQ 
to the next element in the queue. ID of the process entering the Ready state is written 
to the end of ready queue. The ready queue must be reordered after this operation. 
Ordering according priorities is provided by automaton wPriorQueue depicted in 
Fig. 3.4. Reordering mechanism is started by synchronisation channel wQch. 

Note on the Modelling of the Context Switch Time: Notice that the model of the 
scheduler automaton proposed in Fig. 3.3 is simplified by assumption that the context 
switch does not take any time. But for proper exploration of time properties of real- 
time system the context switch time should be considered. Since the context switch in 
cooperative scheduling occurs once per Computation location, context switch time 
can be simply involved in the computation time of each Computation. 



4 Modelling Deterministic Behaviour of the Scheduler 

Notice that proposed model created as synchronised product of application process 
automata and corresponding scheduler automata (Fig. 3.3) contain non-deterministic 
behaviour, which does not correspond to real behaviour of the scheduler. This non- 
determinism occurs when the transition from Ready to Execution location of one 
scheduler automaton Schi is enabled and simultaneously the transition from Pended to 
Ready location of another scheduler automaton Schj is enabled. In such case the 
transition from Pended to Ready should be taken first since the scheduler updates 
states of processes first. Then the highest priority ready process should be chosen and 
the scheduler automaton of this process should take the transition to Execution 
location. Please realise that the model adopted in previous paragraph allows also other 
behaviour: the transition from Ready to Execution location of the first scheduler 
automaton is taken first and the transition from Pended to Ready location of the 
second scheduler automaton is taken afterwards. In such case the second process 
looses the chance to compete the processor that is undesirable since the lower priority 
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process can take the processor even though there is some higher priority ready process 
at the same time. 

The objective of this paragraph is to eliminate such undesirable behaviour, which 
does not correspond to reality. The transition priorities will be used to determine the 
order of transitions. High priority 2 will be assigned to the transitions from Pended to 
Ready locations in all scheduler automata. Lower priority 1 will be assigned to all 
remaining transitions. Since the transition priority is not concerned in timed automata, 
it is incorporated by modifying guards on transitions. 

This approach is demonstrated on simple example of two periodic application 
processes modelled by time automata depicted in Fig. 4.1. Process PI is the low 
priority one and process P2 is the high priority one. Both processes are scheduled by 
cooperative scheduler modelled by two scheduler automata Schl and Sch2 depicted in 
Fig. 3.3. 



WaitProc 

Schedulel? 



wl<=6 , 



O wl:=0 

Signall! 

tl>=20 

tl:=0 



o 



WaitTimer 

tl<=20 



WaitProc 

Schedule2? 



R|ock2! 
w2<=5 , 






w2:=0 

Signal2! 

t2>=10 

t2:=0 



o 



WaitTimer 

t2<=10 



a) Low priority process PI 



b) High priority process P2 



Fig. 4.1. Automata of application processes 



Resulting model of whole application is a synchronised product of all concerned 
automata (Schl, Sch2, PI, P2, wPriorQueue) and it is depicted in Fig. 4.2. The 
location names consist of the first letters of the location names of the original 
automata (in the order Schl, Sch2, PI, and P2). Priorities are assigned to the 
transitions were non-deterministic choice can occur (high priority 2 to the transitions 
from Pended to Ready and low priority 1 to other transitions). Notice that urgent 
locations (symbol u inside the location) are used to prevent processor idling (the time 
progress is disabled when some automaton resides in urgent location). This function 
was provided by urgent channel Schedule in automaton Schi in previous section. 



P P WT WT 
tl<=20, t2<=10 



Priority 1 



Priority 2 

tl>=20 

tl:=0 



Priority 2 



R P WP_WT^ 



E_P_C_WT 
t2<=10 i2<10 . wl<=6, t2<=10 

./„r.o Q 



Priority 2 




Fig. 4.2. Resulting model concerning transition priorities (synchronised product of Schl, Sch2, 
Pi, P2, wPriorQueue) 
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Our approach to transition priority is the following. Suppose the transition from 
Pended to Ready to be taken non-deterministically between lower and upper margin 
of the signalling time (within interval <L, H>). Since any process can be scheduled 
prior to another process becoming ready infinitely short time after scheduling 
decision, the transition priority has no sense in interval <L, H). In other words it is 
desired to preserve the non-determinism in interval <L, H). On the other hand, the 
priority of transition from Pended to Ready must be high at time H since the scheduler 
updates states of processes prior to scheduling decision (as explained above). Our 
approach to give priority to the transitions is to restrict the lower priority transition 
guard gi to gi'=giA{t<H), where t is a clock and t<H is invariant of the location where 
the higher priority transition begin. Restricted guards of lower priority transitions are 
in doted grey filled ellipsis in Fig. 4.2. 

5 Interrupts 

Interrupts are usually used for fast handling of asynchronous external events. Interrupt 
is particularly important in cooperative scheduling since low priority process cannot 
be preempted and therefore high priority process cannot be used to handle 
asynchronous event when short response time is required. When the interrupt request 
(IRQ) arrives from the environment and corresponding interrupt is enabled, currently 
executed process is interrupted and interrupt service routine (ISR) is executed. The 
relative finishing time F of currently executed Computation is therefore prolonged by 
computation time of ISR {Cjsr} and it is no more equal to the known computation 
time. Therefore it is needed to change upper margin //of each computation location in 
the timed automata process model. Each H is prolonged by MaxSC (maximum server 
capacity), the value corresponding to the processor time reserved for all interrupt 
service routines. Since the number of interrupt requests depends on the environment, 
the total computation time of all ISR (SCisr) is not known a priory and moreover the 
existence of its upper bound is not guaranteed. 

The interrupt server limiting amount of processor time spent for interrupts is used 
to guarantee that SCisr does not exceed MaxSC value. Contrary to servers used for 
handling aperiodic tasks in scheduling theory (pooling, deferrable, sporadic servers 
[3], [6]), the prevention of servicing interrupt must be done at the hardware level (by 
disabling IRQ) and before the IRQ occur. The architecture of the system with 
interrupt server is depicted in Fig. 5.1. Interrupt service routines are not called 
directly when some interrupt is requested, but they are wrapped by the code of 
ISR ServerQ function (see Fig. 5.3). The interrupt server has specified server 
capacity SC, which is filled by the value MaxSC at the beginning of each 
computation. The function Fill _Server (MaxSC) listed in Fig. 5.3 is used for it. When 
an interrupt occurs the server capacity SC is decreased by the value of corresponding 
CisR and interrupt server checks if the remaining capacity SC is sufficient for handling 
next ISR. If not the corresponding IRQ is disabled. This check is provided when SC 
changes, once by Fill_Server() and repeatedly on each interrupt by ISR_Server() . 
Notice that Cs, the computation time of ISR_Server(), is considered. Further H has to 
be prolonged by Cps, the computation time of the function F’;7/_5erver() (see Fig. 5.2). 
The lower margin L of any computation location is affected only by Cps- 
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Notice that the function ISR_Server() supposes that the hardware does not support 
nested interrupts {ISR_Server() cannot be interrupted by another interrupt). 

Fill Server (MaxSC) ISR Server () 




Comp1 

w<=H1 +Cps+ MaxSCI 

Deschedule! 
Schedule? n vv>=L1 + C„ 



{ 

DisableJNT 
SC :=MaxSC 
Check for all IRQ 

if(SC-C,sR-Cs)<0 
Disable IRQ 
else 

Enable IRQ 

Enable_INT } 



SC := SC - C,sR - Cs 
call ISR 

Check for all IRQ 

if(SC-C,sR-Cs)<0 
Disable IRQ 
else 

Enable IRQ 



Fig. 5.1. System architect- Fig. 5.2. Computation Fig. S.Ji. Interrupt server mvXmsi 
ture with interrupt server location considering 
interrupts 



Choice of MaxCS value for different locations depends on application 
requirements and it is specified at the design stage. 



6 Inter Process Communication Primitives 

Very important part of each multitasking application (and source of many possible 
errors) is a communication between processes and their synchronisation. Operating 
system usually provides many facilities to manage inter process communication. It is 
not intention of this paper to introduce models of all possible kinds of inter process 
communication. 

On example of semaphore we show, how to extend the proposed model of the 
scheduler and application. The semaphore is the primitive used mostly for 
synchronization and mutual access to resources. It can be taken or given by the 
process using the system calls TakeQ or GiveQ. When the semaphore is given, its 
value is increased. When the semaphore is taken, its value is decreased. When the 
value of the semaphore is zero, it cannot be taken and the process attempting to take it 
is blocked until the semaphore is given by another process. This blocking time can be 
bounded by timeout. When more than one processes are blocked on one semaphore, 
they are waiting in priority queue or FIFO (First In First Out) queue. This basic 
behaviour of semaphore can be modified according to the purpose it is dedicated to. 
We suppose the semaphore being of counting type with value ranging from zero to 
MaxCount. 

Example of an application process model with semaphore is depicted in Fig. 6.1. 
The process attempts to take the semaphore by synchronisation Take!. Then it waits in 
location WaitSem until the semaphore is taken (synchronisation Taken?) or until 
timeout expires (synchronisation TOutl). The synchronisation Give! is used to give 
the semaphore. Notice that giving the semaphore is not blocking operation and 
therefore the semaphore is given on the transition entering the Comp3 location. On 
the other hand taking semaphore is blocking operation and therefore transitions with 
Taken? and TOut! lead to the locations WaitProc2 or WaitProc3 resp. where the 
process waits for the processor. 
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FncProcessl { 
while (TRUE) { 

Compl 

Result := Take (Sem, TimeOut) 
if (Result == TOut) { 

Comp4 
YieldO } 
else { 

Comp2 
Give (Sem) } 

Comp3 

Wait End of Period 

} } 



WaitProil 

w<ClHi 



WaitSem WaitPrm-2 C«mp2 Comp3 

Take! w<=TimeOut w<C2Hi Give! w<C3Hi 

w>ClLo Taken? —.Schedule?—. w>C2Lo w>C3Lo 

KJ) w:=0 O”^ ^ 

Comp4 

Tput! WaitProc3 w<C4Hi Deschedule! 
w:«Tij5^e0ut ^^Schedule? — . w>C4Lo 

v:=d^O ^ 

Signal! WaitTimer 

,J>=Period t<=Period 





Block! 



t:=0 



Fig. 6.1. Model of process containing Take and Give one semaphore 



The scheduler model for application with two semaphores is depicted in Fig. 6.2. 
The scheduler of executed process is asked for taking the semaphore by 
synchronisation Take?. If the semaphore is empty {Sem==0), the processor is 
relinquished {Free:=l), ID of the process is written to the queue of the semaphore 
(SemQ) and the queue (FIFO or priority) is reordered by synchronisation wSemQch!. 
The scheduler and the process then wait in the location WaitSem until the semaphore 
is given by another process or until its time-out expires. If the semaphore is not empty 
(Sem>0) its value is decreased and the synchronisation Taken! is immediately 
followed by synchronisation Schedule! to continue in execution. The processor is not 
relinquished in this case. 

The queue of the processes waiting for the semaphore {SemQ) can be FIFO queue 
or priority queue. In the case of priority queue, its elements {IDs of processes) must 
be reordered according to priorities when the next process issues Take on the empty 
semaphore. This is managed by the automaton similar to the one depicted in Fig. 3.4. 
The only difference is the name of the queue {SemQ, wSemQch, nSemQ, rSemQ, 
wSemQ). Reordering is not necessary when FIFO queue is used. 
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Schedule! Glvel? 

Free==l, Q(rQ|==ID, Seml:=(Seml<MaxCoiint ? Seml+1 : MaxCounJ) 

((Seml==0) II (nSemlQ==0)), (Sem2==0 |] nSem2Q==0) 

Freer=0, uQ:=nQ-l, rQ:=(rQ<slzeQ-l ? rQ+1 : 0) Exe Give2? 
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Q[wQ|r= 



wQch! — . ExOi2! — . TOut2? 

/py /PV WaitSem2 

Q(wQ|:=IDv:::/ ExV 2:=ID Vr/ 

Taken2! ©— 

wQch! — . Sem2>0, Sem2Q(rSem2Q|==ID 

I^ID©: 



wSem2Qch! 

Sem2==0 



Q(wQ|:=ID^ 



Sem2Q[wSem2Q]:=ID, Free:=l 
Sem2r=Sem2-l, nSem2Q:=nSem2Q-l, rSem2Q:=(rSeni2Q<slzeQ-l ? rSem2Q+l : 0) 



Fig. 6.2. Scheduler model containing two semaphores (extension of Fig. 3.3) 
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As it has been explained in seetion 4, rescheduling is not possible before updating 
states of all processes. Therefore transitions from Ready to Exe have lower priority 
than the transitions from WaitSem to Ready. That means that scheduling cannot occur 
when there is any process waiting on signalled semaphore. This is modelled by 
restricting transition from Ready to Exe guard g to g'=g a V, {SemrO v nSemiQ^O). 



7 Case Study 

This section demonstrates the methodological approach to modeling real-time 
operating system based applications on the example of the elevator controller. 

The elevator cabin either resides in a floor, or it moves between floors, or it goes 
through a floor (Fig. 7.2 b). The cabin movement is controlled by a three-state 
variable Go having value UP, or DOWN, or STOP. The value of the cabin possition 
sensor is stored in variable In which is equal to 1 when the cabin resides in or goes 
through any floor. The motor overheating is detected by value Fli of variable Temper 
(see Fig. 7.2 c). In such case the cabin must stop in the forthcoming floor and further 
movement is disabled by resetting variable Enable. 

All sensors and actuators are connected to the control system by the buss 
guaranteeing the message delivering time. The control system software consists of 
three processes scheduled by cooperative scheduler and one intermpt service routine. 

The buss controller generates interrupt request {IRQ), when new data are received 
from the buss or all prepared data were transmitted to the buss (see Fig. 7.2 d). If the 
interrupt is enabled {EN=I), the hardware intermpt controller (see Fig. 7.2 e) 
interrupts the CPU, the ISR Server is invoked (see Fig. 7.2 f) and semaphore Semi is 
signalled. The highest priority process ComProc, providing communication services, 
takes semaphore Semi, then it recognises the data receiver and it signals semaphore 
Sem3 or Sem4 (see the code in Fig. 7.1 and corresponding automaton in Fig. 7.2 g). 
The middle priority process DiagProc provides diagnostic and emergency shut-down 
when the motor is over-heated. It is waiting on Sem3 (see the code in Fig. 7. 1 and 
corresponding automaton in Fig. 7.2 h). The lowest priority process CtrlProc 
providing the cabin control is waiting on Sem4 (see the code in Fig. 7.1 and 
corresponding automaton in Fig. 7.2 i). The semaphore Sem2 provides mutual 
exclusive access to all shared data. Pseudocode of the control system software is in 
Fig. 7.1. 

The goal of this case study is to create model of the system and to use the model- 
checking tool UPPAAL to verify the following properties: 

■ Propl : No IRQ is lost i.e. a) handling intermpt is short enough and b) the intermpt 

server capacity is sufficient. 

■ Prop2: The execution of ComProc is started between two successive interrupts. 

■ Prop3: The execution of ComProc is finished within 24 ms after taking Semi. 

■ Prop4: The execution of DiagProc is finished within 24 ms after taking Sem3. 

■ Prop5: The execution of CtrlProc is finished within 34 ms after taking Sem4. 

■ Prop6: Usage of elevator is disabled 166 ms after the motor overheating. 

■ Prop7: The cabin will stop in any floor 5.2 s after the motor overheating. 
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The automata of the proposed model are depleted in Fig. 7.2. The intereonneetion 
of all automata is depleted in Fig. 7.2 a). The seheduler automaton is similar to the 
one in Fig. 6.2 but it is extended for four semaphores. 



ComProc () 

{ 

while (true) { 

Take (Semi) 

Fill Server (SI) 
Computation! /12 
Take (Sem2) 

Fill Server (S2) 
Computation2 /12 
if(Data==DIAG) 
Give (Sem3) 
if(Data=CTRL) 
Give (Sem4) 
Give (Sem2) 

} } 



DiagProc () 

{ 

while (true) { 

Take (Sem3) 

Fill Server (SI) 
Computation! /I2 
Take (Sem2) 

Fill Server (S2) 
Computation2 /12 
if (Tempei=Fli) { 

Enable:=0 

if(Go!=STOPandIn==l) 

Go:=STOP 



} 

Give (Sem2) 
}} 



CtrlProc 0 

{ 

while (true) { 

Take (Sem4) 

Take (Sem2) 

Fill Server (SI) 
Computation! /22 
Yield 

Fill Server (S2) 
Computation2 /1 2 
Give (Sem2) 

} 

} 



Fig. 7.1. Control system software pseudocode 



The specified properties are formalized in CTL as follow: 



■ Propl a) 


VD 


■ Prop2: 


VD 


■ Prop3: 


VD 




VO 


■ Prop4: 


VD 




VO 


■ Props : 


VD 




VO 


■ Prop6: 


VD 




VO 


■ Prop7: 


VD 




VO 



— 1 IntCtrl.NestedIRQ, b) VD — ilntCtrl.DisabledlRQ 

Semi <2 

((ComProc. WaitProc2 a ComProc. t=0) => 

(ComProc. EndComp a ComProc. t<24)) 

((DiagProc. WaitProc2 a DiagProc. t=0) => 

(DiagProc. EndComp a DiagProc. t<24)) 

((CtrlProc. WaitProc2 a CtrlProc. t=0) => 

(CtrlProc. EndComp a CtrlProc. t<34)) 

((Temper=Fli a tTemper=0) => 

(Enable=0 a tTemper<166)) 

((Temper=Fli a tTemper=0) => 

(Enable=0 a In=l a Go=STOP a tTemper<5200)) 



Result of verification: all properties except Prop6 are satisfied. 
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Fig. 7.2. Elevator and control system model 



Note: Please notice that under the worst-case conditions the cabin will not stop on 
any floor 5,2 s after increasing of the motor temperature (Prop? is not satisfied) even 
though the DiagProc will react on this situation within 166 ms (Prop6 is satisfied) 
and the maximal time that the cabin spends between two floors is 5 s (time invariant 
of the state BetweenFloors in cabin model in Fig. 7.2 b) is t<=5000). This result 
would be hart to find by separate analysis of time and logical properties of the 
system. In fact the property Prop? is satisfied for the value of tTemper<5332 since 
5332<^166+5000+166. 
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7.1 Comparison with RMA Approach 

Notice that properties Prop3, Prop4 and PropS represent exploration of the worst- 
case completion time for processes ComProc, DiagProc and CtrlProc. Let's compare 
approach adopted in this article to RMA approach. 

Let's suppose that the processes are scheduled by preemptive rate monotonic 
scheduling: 

• the minimal interarrival times are TcomProc^SO, ToiagProc^lOO and TctriProc^200, 

• the worst-case computation times are CcomProc^24, CDiagProc=24 and CctriProc^34 

• critical section (Sem2) is locked for durations DcomProc^l2, DDiagProc^l2 and 
f^CtrlProc 34. 

It is obvious that without internal structure knowledge, the worst-case blocking 
time on Sem2 must be considered: BcomProc=34, BDiagProc=34. 

Based on these very abstracted assumptions on system behaviour, the RMA 
evaluates processes ComProc and DiagProc non-schedulable. 



8 Conclusion and Future Work 

The cooperative scheduling approach given in this article avoids preemption 
modelling by hybrid automata. The model of the application processes and 
cooperative scheduler is based on timed automata, for which model checking of 
TCTL property problem is decidable (opposite to hybrid automata). Interrupts and 
inter-process communications - the most important aspect of real time embedded 
applications - are taken into consideration in the proposed model. With respect to the 
processor utilisation and reaction time the cooperative scheduling conceived in this 
article is not the most efficient one, but due to simplicity reasons many embedded 
applications are often based on similar cooperative scheduling mechanisms handling 
intermpts separately, therefore this approach is not just an academic idea. 

Existing approaches for design and analysis of real-time applications, like Rate 
Monotonic Analysis (using preemptive scheduling based on priority assignment 
respecting the rate of periodic processes), use very elegant way of deciding whether 
the application is schedulable or not. But it is needed to mention, that the model 
checking approach provides a room for verifying more complex properties (e.g. 
detection of deadlocks in communication, specification of buffer size,...). Model 
checking provides also room for modelling of more complex time behaviour of the 
controlled system, running truly in parallel with the control system (modelled as 
separate automaton). 

As the complexity of the model checking remains very huge in a general case it is 
motivating to set up the rules applied at a design phase, that would lead into the state 
spaces of reasonable size. Specification of such rules linked to the identification of the 
controlled systems represents a possible direction of our future work. 
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Abstract. Testing is the primary software validation technique used by 
industry today, but remains ad hoc, error prone, and very expensive. 
A promising improvement is to automatically generate test cases from 
formal models of the system under test. 

We demonstrate how to automatically generate real-time conformance 
test cases from timed automata specifications. Specifically we demon- 
strate how to efficiently generate real-time test cases with optimal exe- 
cution time i.e test cases that are the fastest possible to execute. Our 
technique allows time optimal test cases to be generated using manually 
formulated test purposes or automatically from various coverage criteria 
of the model. 



1 Introduction 

Testing is the execution of the system under test in a controlled environment 
following a prescribed procedure with the goal of measuring one or more quality 
characteristics of a product, such as functionality or performance. Testing is the 
primary software validation technique used by industry today. However, despite 
the importance and the many resources and man-hours invested by industry 
(about 30% to 50% of development effort), testing remains quite ad hoc and 
error prone. 

A promising approach to improving the effectiveness of testing is to base test 
generation on an abstract formal model of the system under test (SUT) and use 
a test generation tool to (automatically or user guided) generate and execute test 
cases. Model based test generation has been under scientific study for some time, 
and practically applicable test tools are emerging [6, 14, 16, 10]. However, little is 
still known in the context of real-time systems, and few proposals exist that deals 
explicitly and systematically with testing real-time properties [15, 9, 7, 8, 12, 13]. 
A principle problem is that a very large number of test cases (generally infinitely 
many) can be generated from even the simplest models. The addition of real- 
time adds another source of explosion, i.e. when to stimulate the system and 
expect response. 
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In this paper we demonstrate how it is possible to generate time-optimal 
test cases and test suites, i.e. test cases and suites that are guaranteed to take 
the least possible time to execute. Time optimal test suites are interesting for 
several reasons. First, reducing the total execution time of a test suite allows 
more behavior to be tested in the (limited) time allocated to testing. Second, 
it is generally desirable that regression testing can be executed as quickly as 
possible to improve the turn around time between changes. Third, it is essential 
for product instance testing that a thorough test can be performed without 
testing becoming the bottleneck, i.e., the test suite can be applied to all products 
coming of an assembly line. Finally, in the context of testing of real-time systems, 
we hypothesize that the fastest test case that drives the SUT to a some state, 
also has a high likelihood of detecting errors, because this is a stressful situation 
for the SUT to handle. Most other work, e.g [1, 17], focus on minimizing the 
length of the test suite which is not directly linked to the execution time because 
some events take longer to produce or real-time constraints are ignored. 

We propose a new technique for automatically generating time optimal test 
cases and test suites for embedded real time systems. We focus on conformance 
testing i.e., checking by means of execution whether the behavior of some black 
box implementation conforms to that of its specification, and moreover doing 
this within minimum time. The fact that the SUT is a black box means that 
communication with the SUT only takes place via a well defined set of observ- 
able actions which implies limited observability and controllability. The required 
behavior is specified using Uppaal style timed automata. The fastest diagnostic 
trace facility of the Uppaal model checking tool is used to generate time optimal 
test sequences. 

The test cases can either be generated using manually formulated test pur- 
poses or automatically from several kinds of coverage criteria — such as transition 
or location coverage-of the timed automata model. Even coverage based test 
suites are guaranteed to be time optimal in the sense the total time required to 
execute the test sequences in the suite (and the intermediate resets) is minimal. 
The main contributions of the paper are: 

~ Definition of a subclass of timed automata from which the diagnostic traces 
of Uppaal can be used as test cases. 

~ Application of time optimal reachability analysis algorithms to the context 
of test case generation. 

— A technique to generate time optimal covering test suites for three important 
coverage criteria. 

— Experimental evidence in that the proposed technique has practical merits. 

The rest of the paper is organized as follows: in the next section we introduce 
a framework for testing real-time systems based on a testable subclass of timed 
automata. In Section 3 and 4 we describe how to encode test purposes and test 
criteria, and report experimental results respectively. In Section 5 we conclude 
the paper and discuss future work. 
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2 Timed Automata and Testing 

We will assume that both the system under test (SUT) and the environment in 
which it operates are modelled as timed automata. 

2.1 Testable Timed Automata 

The model used in this paper is networks of timed automata [2] with a few 
restriction to ensure testability. 

Let A be a set of noir-negative real-valued variables called clocks, and Act 
a set of actions and co-actions (denoted a! and a?) and the non-synchronising 
action (denoted r). Let Q(X) denote the set of guards on clocks being con- 
juirctions of simple constraints of the form x txi c, aird let U{X) deirote the 
set of updates of clocks corresponding to sequeirces of the form x := c, where 
X G X, c G N, and [xi G A timed automaton over {Act,X) is 

a tuple {L,io, I, E), where L is a set of locations, f' G L is an iiritial locatioir, 
I : L ^ G{X) assigns invariants to locations, and if is a set of edges such that 
E G- L y. G{X) X Act x U{X) x L. We write t > E iff {i,g,a,u,E) G E. 

The semantics of a timed automaton is defiired in terms of a timed trairsitioir 
system over states of the form p = {£,a), where £ is a locatioir and a G K>q is 
a clock valuation satisfying the invariant of i. Intuitively, there are two kinds 
of transitions: delay transitions and discrete transitions. In delay transitions, 
(£, cr) {i,a + d), the values of all clocks of the automaton are incremented 
with the amount of the delay, d. Discrete transitions {I, a) {£' , a') correspond 

to execution of edges {£, g, a, u, £') for which the guard g is satisfied by tr. The 
clock valuation a' of the target state is obtained by modifying a according to 
updates u. 

A network of timed automata || • • • || An over (Act, A) is defined as the 
parallel composition of n timed automata over (Act, A). Semantically, a network 
again describes a timed transition system obtained from those of the components 
by requiring synchrony on delay transitions and requiring discrete transitions to 
synchronize on complementary actions (i.e. al is complementary to a!). 

To ensure testability, certain semantic restrictions turn out to be required. 
Following similar restrictions in [15], we define the notion of deterministic, input 
enabled and output urgent timed automata, DIEOU-TA, as follows: 

1. Determinism. For a given state p and label I, all transitions of form p — ^ 
lead to the same state. 

2. Input enableness. In any state, any iirput action is eirabled. 

o' b< 

3. Output uniqueness. Each state p has at most one out action, i.e. p — A, p — A 
implies a = b. 

4. Output urgency. When an output (or r) is enabled, it will occur immediately, 
i.e. time is not allowed to pass wheir p (or p — f->). 



^ To simplify the presentation in the rest of the paper, we restrict to guards with 
non-strict lower bounds on clocks. 
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Fig. 1. Test Specification 



2.2 Testing Timed Automata 

We assume that the test specification is given as a closed network of timed au- 
tomata that can be partitioned into one subnetwork modelling the behavior of 
the SUT, and one modelling the behavior of its environment (ENV), as shown 
in Figure 1. Often the SUT operates in a specific environment, in case it is only 
necessary to establish correctness under the (modelled) environment assump- 
tions; otherwise the environment model can be replaced with a unconstrained 
environment allowing all possible interaction sequences. 

We assume that the tester can take the place of the environment and control 
the SUT via a distinguished set of observable input (J) and output actions (O), 
Act = X U O. For the SUT to be testable the subnetwork modelling it should 
be controllable in the sense that it should be possible for an environment to 
drive the subnetwork model through all of its syntactical parts (e.g. edges and 
locations). This is precisely ensured by making the assumption that the model 
of the system under test satisfy the restrictions of DIEOU. 

Example 1. We use the simple light switch controller shown in Figure 2 to illus- 
trate the concepts. The user interacts with the controller by touching a touch 
sensitive pad. The light has three intensity levels: OFF, DIMMED, and BRIGHT. 
Depending on the timing between successive touches (recorded by the clock x ), 
the controller toggles the light levels. For example, in dimmed state, if a second 
touch is made quickly (before the switching time Tsw = 4 time units) after the 
touch that caused the controller to enter dimmed state (from either off or bright 
state), the controller increases the level to bright. Conversely, if the second touch 
happens after the switching time, the controller switches the light off. If the light 
controller has been in off state for a long time (longer than Tidie = 20 it should 
reactivate upon a touch by going directly to bright level. We leave it to the 
reader to verify for herself that the conditions of DIEOU are met by the model 
given. 

The environment model shown in Figure 3(a) models a user capable of per- 
forming any sequence of touch actions. When the constant Treact is set to zero 
he is arbitrarily fast. A more realistic user is only capable of producing touches 
with a limited rate; this can be modelled setting Treact to a non-zero value. Fig- 
ure 3(b) models a different user able to make two quick successive touches, but 
which then is required to pause for some time (to avoid cramp) Tpause = 5. 
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Fig. 2. Light Controller 



2.3 UPPAAL and Time-Optimal Reachability 

Uppaal is a verification tool for a timed automata based modelling language [11]. 
Besides dense-time clocks, the tool supports both simple and complex data types 
like bounded integers and arrays as well as synchronisation via shared variables 
and actions. The specification language supports both safety and liveness prop- 
erties. 

To produce test sequences, we shall make use of Uppaal’s ability to generate 
diagnostic traces witnessing a posed safety property. Currently Uppaal support 
three options for diagnostic trace generation: some trace leading to the goal 
state, the shortest trace with the minimum number of transitions, and fastest 
trace with the shortest accumulated time delay. The underlying algorithm used 
for finding time-optimal traces is an extended version of Uppaal’s symbolic on- 
the-fly reachability analysis algorithm, extended with ideas from the well-known 
A*-algorithm [3]. Hence to further improve performance it is possible to supply 
a heuristic function which, for all reachable symbolic states, gives a lower bound 
estimation of the remaining cost needed to reach a goal state. 

2.4 Prom Diagnostic Traces to Test Cases 

Let A be the timed automata network model of the SUT together with its inteded 
environment ENV. Consider a (concrete) diagnostic trace produced by Uppaal 
for a given reachability question on A. This trace will have the form: 



{So, Eo) 




where Si,Ei are states of the SUT and ENV, respectively, and k are either 
time-delays or synchronization (or internal) actions. The latter may be further 
partitioned into purely SUT or ENV transitions (hence invisible for the other 
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Fig. 3. Two possible environment models for the simple light switch 



part) or synchronizing transitions between the SUT and the ENV (hence ob- 
servable for both parties). 

From the diagnostic trace above a test sequence A may be obtained simply by 
projecting the trace to the ENV-component, while removing invisible transitions, 
and summing adjacent delay actions. Finally, a test case to be executed on the 
real SUT implementation may be obtained from A by the addition of verdicts. 

Adding the verdicts require some comments on the chosen correctness rela- 
tion between the specification and SUT. In this paper we require timed trace 
inclusion, i.e. that the timed traces of the implementation are included in the 
specification. Thus after any input sequence, the implementation is allowed to 
produce an output only if the specification is also able to produce that out- 
put. Similarly, the implementation may delay (thereby staying silent) only if the 
specification also may delay. 

To clarify the construction we may model the test case itself as a timed 
automaton A\ for the test sequence A. Locations in A> are labelled using two 
distinguished labels, pass and fail. The execution of a test case is now formalized 
as a parallel composition of the test case automaton A\ and SUT As- 

S passes Ax iff Ax \\ As fail 

Ax is constructed such that a complete execution terminates in a fail state if 
the SUT cannot perform A and such that it terminates i pass state if the SUT 
can execute all actions of A. The construction is illustrated in Figure 4. 

3 Test Generation 

In this section we describe how to generate time-optimal test sequences from 
test purposes, and time-optimal test suites from coverage criteria. 

3.1 Single Purpose Test Generation 

A common approach to the generation of test cases is to first manually formulate 
informally a set of test purposes and then to formalize them such that the model 
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Fig. 4. Test case automaton for the sequence io\ ■ delay ■ oq? 



can be used to generate one or more test cases for each test purpose. A test 
purpose is a specific test objective (or property) that the tester would like to 
observe on the SUT. 

Because we use the diagnostic trace facility of a model-checker based on 
reachability analysis, the test purpose must be formulated as a property that 
can be checked by reachability analysis of the combined ENV and SUT model. 
We propose different techniques for this. Sometimes the test purpose can be 
directly transformed into a simple location reachability check. In other cases 
it may require decoration of the model with auxiliary flag variables. Another 
technique is to replace the environment model with a more restricted one that 
matches the behavior of the test purpose only. 

TPl: Check that the light can become bright. 

TP2: Check that the light switches off after three successive touches. 

The test purpose TPl can be formulated as a simple reachability property: E<> 
LightContr oiler .bright (i.e. eventually the LightController automaton en- 
ters location bright). Generating the shortest diagnostic trace results in the 
test sequence: 20 • touchl ■ brightl. However, the fastest sequence satisfying the 
purpose is 0 • touchl ■ dim! ■ 0 • touchl ■ brightl. 

Test purpose TP2 can be formalized using the restricted environment model^ 
in Figure 5 with the property E<> tpEnv.goal. 

The fastest test sequence is 0 • touchl ■ dim! ■ 0 • touchl ■ brightl ■ 0 • touchl ■ offl. 



3.2 Coverage Based Test Generation 

Often the tester is interested in creating a test suite that ensures that the specifi- 
cation or implementation is covered in a certain way. This ensures that a certain 

^ It is possible to use Uppaal’s committed location feature to compose the test purpose 
and environment model in a compositional way. Space limitations prevents us from 
elaborating on this approach. 
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Fig. 5. Test Environment for TP2 



level of systemacy and thoroughness has been achieved in the test generation 
process. Here we explain how test sequences with guaranteed coverage of the 
SUT model can be computed using reachability analysis, effectively giving au- 
tomated tool support. In the next subsection, we show how to generalise the 
technique to generate sets of test sequences. 

A large suite of coverage criteria have been proposed in the literature, such as 
statement, transition, and definition-use coverage, each with its own merits and 
application domain. We explain how to apply some of these to timed automata 
models. 



Edge Coverage. A test sequence satisfies the edge-coverage criterion if, when 
executed on the model, it traverses every edge of the selected network compo- 
nents. Edge coverage can be formulated as a reachability property in the follow- 
ing way: add an auxiliary variable of type boolean (initially false) for each 
edge to be covered (typically realized as a bit array in Uppaal), and add to 
the assignments of each edge i an assignment := true; a test suite can be 
generated by formulating a reachability property requiring that all variables 
are true: E<> ( eo==true and ei ==true . . . e„==true ) . 

The light switch in Figure 2 requires a bit-array of 12 elements. When the 
environment can touch arbitrary fast the generated fastest edge covering test 
sequence has accumulated execution time 28. The solution (there might be more 
traces with the same fastest execution time) generated by Uppaal is: 

EC: 0 • touch\ ■ diml ■ 0 • touchl ■ brightl ■ 0 • touchl ■ offl ■ 20 • touch] ■ bright! ■ 4 • 
touch] ■ dim! ■ 4 • touch] ■ off! . 

Location Coverage. A test sequence satisfies the location-coverage criterion 
if, when executed on the model, it visits every location of the selected TA- 
components. To generate test sequences with location coverage, we introduce an 
auxiliary variable Si of type boolean (initially false for all locations except the 
initial) for each location £i to be covered. For every edge with destination ii'. 
£' li add to the assignments u Si := true; the reachability property will 

then require all Si variables to be true. 
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Definition-Use Pair Coverage. The definition-use pair criterion is a data- 
fiow coverage technique where the idea is to cover paths in which a variable is 
defined (i.e. appears in the left-hand side of an assignment) and later is used 
(i.e. appears in a guard or the right-hand side of an assignment). Due to space- 
limitation, we restrict the presentation to clocks, which can be used in guards 
only. 

We use {v, e^, eu) to denote a definition-use pair (DU-pair) for variable v 
if 6d is an edge where v is defined and e„ is an edge where v is used. A DU-pair 
(v,ed,eu) is valid if e„ is reachable from Cd and v is not redefined in the path 
from €d to 6u- A test sequence covers (v, e^, e„) iff (at least) once in the sequence, 
there is a valid DU-pair (v, e^, e„). A test sequence satisfies the (all-uses) DU-pair 
coverage criterion of v if it covers all valid DU-pairs of v. 

To generate test sequences with definition-use pair coverage, we assume 
that the edges of a model are enumerated, so that is the number of edge i. 
We introduce an auxiliary data-variable Vd (initially false) with value domain 
{false} U {1 . . . |A||to keep track of the edge at which variable v was last de- 
fined, and a two-dimensional boolean array du of size \E\ x \E\ (initially false) to 
store the covered pairs. For each edge at which v is defined we add Vd ■= e^, 
and for each edge ej at which v is used we add the conditional assignment 
if{vd 7 ^ ialse)then du[vd, Cj] := true. Note that if v is both used and defined on 
the same edge, the array assignment must be made before the assignment of Vd- 

The reachability property will then require all du[i,j] representing valid DU- 
pairs to be true for the (all-uses) DU-pair criterion. Note that a test sequence 
satisfying the DU-pair criterion for several variables can be generated using the 
same encoding, but extended with one auxiliary variable and array for each 
covered variable. 



3.3 Test Suite Generation 

Often a single covering test sequence cannot be obtained for a given test purpose 
or criterion (e.g. due to dead-ends in the model), or there might exist a cover- 
ing set of test sequences for which the total time is shorter than for the fastest 
covering single test sequence. In these cases, the time-optimal test suite (i.e. the 
set of test sequences with shortest accumulated time) is needed to test the sys- 
tem. To generate time-optimal test suites, we shall introduce in the model resets 
that resets the model to its initial state, from which the test may continue to 
cover the remaining parts. The generated test is then interpreted as a test suite 
consisting of a set of test sequences separated by resets. 

To introduce resets in the model, we allow the user to designate some lo- 
cations as being resettable. Obviously, performing a reset in practice may take 
some time (or other costs measured in time) that must be taken into consid- 
eration when generating time-optimal test sequences. Resettable locations can 
be encoded into the model by adding reset transitions leading back to the initial 
location. Let Xr be an additional clock used for reset purposes, and let £ be 
a resettable location. Two reset-edges must then be added from i to the initial 
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Table 1. Results for the Philips audio-control protocol 



Criteria 


E(/rs) 


G (s) 


M (Kb) 


ECs 


212350 


2.2 


9416 


ECfl 


18981 


1.2 


4984 


ECfl.s 


114227 


129.0 


331408 



location i.e., 

, resell, Xr'.—O Xr =—'Tr,T,UQ , 

^ *■ ^(Xr-<Tr.) *■ ^0 

Here uq are the assignment needed to reset clocks and other variables in the 
model (excluding auxiliary variables encoding test purpose or coverage criteria^). 
If more than one component is present in either the SUT-model or environment 
model, the reset-action must be communicated atomically to all of them. This 
can be done using the committed location feature of Uppaal. 

3.4 Environment Behavior 

A potential problem of the techniques presented above is that the generated test 
sequences may be non-realizable, in that they may require the environment of 
SUT to operate infinitely fast. In general, it is necessary to establish correctness 
of SUT only under the (modelled) environment assumptions. Therefore assump- 
tions about the environment should be modelled explicitly, and will then be 
taken into account during test sequence generation. 

4 Experiments 

In the previous section we present techniques to compute time-optimal covering 
test suites. In the following we apply the presented technique to a version of 
Philips audio control protocol [5, 4], frequently studied in the context of model 
checking. 

We have created a DIEOU-TA model of the the protocol. The system consists 
of a sender component and a receiver component communicating over a shared 
bus. The sender inputs a sequence of bits to be transmitted, Manchester encodes 
them, and transmits them as high and low voltage on the bus. To detect colli- 
sions the sender also checks that the bus is indeed low when it is itself sending 
a low signal. The receiver is triggered by low-to-high transitions on the bus, and 
decodes the bits based on this information. 

Table 1 summarizes the results. The first row contains results for the protocol 
tested with an environment consisting of a bus that may spontaneously go high 



3 



In the encoding of DU-pair coverage, the variables Vd should be reset to false at 
resets. 
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to emulate collision, and a sender buffer producing any legal input-bit sequence. 
The second row shows results for a receiver testing in an environment consiting 
of a bus, and a buffer to hold the received bits. The third row is the results for the 
receiver tested in an environment consisting of a sender component with sender 
buffer, a bus, and receiver buffer. Thus the last row represents a rather large 
system. In all cases the time optimal covering test sequence could be computed 
in reasonable time. 

5 Conclusions and Future Work 

In this paper, we have presented a new technique for generating timed test se- 
quences for a restricted class of timed automata. It is able to generate time 
optimal test sequences from either a single test purpose or a coverage criterion. 
The technique uses the time optimal reachability feature of Uppaal. Using a ver- 
sion of Philips audio-control protocol, we have demonstrated how our technique 
works and performs. We conclude that it can generate practically relevant test 
sequences for practically relevant sized systems. However, we have also found 
a number of areas where our technique can be improved. 

The DIEOU-TA model is quite restrictive, and a generalization will benefit 
many real-time systems. Especially, we are working on removing the output ur- 
gency requirement. Without fundamental changes our technique can be applied 
to models that are output persistent only, meaning that outputs are allowed to 
appear at some unspecified time in an interval. 

Adding the required annotations for various coverage criteria by hand, and 
manually formulating the associated reachability property is tedious and error 
prone. We are working on a tool that performs these tasks automatically. 

Finally, we have found that the bit-vector annotations for tracking coverage 
and remaining time estimates may increase the state space significantly, and 
consequently also generation time and memory. The extra bits does not influence 
model behavior, and should therefore be treated differently in the verification 
engine. We are working on techniques that ignores these bits when possible, and 
that takes advantage of the coverage bits for pruning states with “less” coverage. 
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Abstract. Presently, the method to verify quantitative time properties 
on Time Petri Nets is the use of observers. The state space is then com- 
puted to test the reachability of a given marking. The main method to 
compute the state space of a Time Petri Net has been introduced by 
Berthomieu and Diaz [BD91]. It is known as the “state class method”. 
We present in this paper a new efficient method to compute the state 
space of a bounded Time Petri Net as a marking graph, based on the 
region graph method used for Timed Automaton [AD94]. The algorithm 
is proved to be exact with respect to the reachability of a marking and 
it computes a graph which nodes are exactly the reachable markings of 
the Time Petri Net. The tool implemented computes faster than Tina, 
a tool for constructing the state space using classes, and allows to test 
on-the-fly the reachability of a given marking. 

Keywords: Time Petri Nets, Zone, State Space, Reachability Analy- 
sis, Verification 



1 Introduction 

Frameworks 

The theory of Petri Nets provides a general framework to specify the behavior of 
reactive systems and time extensions have been introduced to take also temporal 
specifications into account. The two main time extensions of Petri Nets are Time 
Petri Nets (TPN) [Mer74] and Timed Petri Nets [Ram74]. While a transition 
can be fired within a given interval for TPN, in Timed Petri Nets, transitions are 
fired as soon as possible. There are also numerous way of representing time. It 
could be relative to places, transitions, arcs or tokens. TPN are mainly divided in 
P-TPN, A-TPN and T-TPN where a time interval is relative to places (P-TPN), 
arcs (A-TPN) or transitions (T-TPN). Finally, Time Stream Petri Nets [DS94] 
were introduced to model multimedia applications. 

Goncerning the timing analysis of these three models in order to verify prop- 
erties, few studies have been realized. 
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Recent works [ANOl, dFRAOO] consider Timed Arc Petri Nets where each 
token has a clock representing its “age”. Using a backward exploration algo- 
rithm [AJOl, FS98], they proved that the coverability and boundedness are de- 
cidable for this class of Petri Nets. However, they assume a lazy (non-urgent) 
behavior of the net: the firing of a transition may be delayed even if its time 
becomes greater than its latest firing time, disabling the transition. 

In [Rok93, RM94], Rokicki considers an extension of labeled Petri Nets 
called Orbitals Nets: each transition of the TPN (safe P-TPN) is labeled with 
a set of events (actions). The state-space is constructed using a forward algorithm 
very similar to Alur and Dill region based method. Rokicki finally uses partial 
order method to reduce time and space requirements for verification purpose. 
The semantics used is not formally defined and seems to differ from another 
commonly adopted proposed by Khansa [KDC96]. 

Others approaches aim at translating a TPN into a Timed Automaton (TA) 
in order to use efficient existent tools on TA. In [CEPOO], Cortes et al. propose 
to transform an extension of T-TPN into the composition of several TA. Each 
transition is translated into an automaton (not necessarily identical due to con- 
flict problems) and it is claimed that the composition capture the behaviour of 
the TPN. In [CR03], Cassez and Roux propose another structural approach: 
each transition is translated into a TA using the same pattern. The authors 
prove the two models are timed-bisimilar. In [SAOI], Sava and Alla compute 
the graph of reachable markings of a T-TPN. The result is a TA. Nevertheless, 
they assume the TPN is bounded and does not include oo as latest firing time, no 
proof is given of the timed-bisimilarity between the two models. In [LR03], Lime 
and Roux propose a method for building the state class graph of a bounded T- 
TPN as a TA. The resulting TA is timed-bisimilar and has much lower clocks 
than previous methods which is of importance for TA model-checking. 

Such translations show that TCTL and CTL are decidable for T-TPN and 
that developed algorithms on TA may be extended to T-TPN. 

In this paper, we consider T-TPN in which a transition can be fired within 
a time interval. For this model, boundedness is undecidable and works report un- 
decidability results, or decidability under the assumption of boundedness of the 
TPN (as for reachability, decidability [Pop91]). Boundedness and other results 
are obtained by computing the state-space. 

Related Work 

State Space Computation of a T-TPN. The main method to compute the state- 
space of a TPN is the state class graph [Mcn82, BD91]. A state class C of a TPN 
is a pair (M, D) where M is a marking and D a set of inequalities called the 
firing domain. A variable Xi of the firing domain represents the firing time of 
the enabled transition ti relatively to the time when the class C was entered 
in and truncated to nonnegative times. The state class graph preserves mark- 
ings [BV03] as well as traces and complete traces but can only be used to check 
untimed reachability properties and is not accurate enough for checking quantita- 
tive real-time properties. An alternative approach has been proposed by Y ONEDA 
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et al. [YR98] in the form of an extension of equivalence classes (atomic classes) 
which allow CTL model-checking. Lilius [Lil99] refined this approach so that it 
becomes possible to apply partial order reduction techniques that have been de- 
veloped for untimed systems. Berthomieu and Vernadat [BV03] propose an 
alternative construction of the graph of atomic classes of Y ONEDA applicable to 
a larger class of nets. In [OY97], Okawa and Yoneda propose another method 
to perform CTL model-checking on T-TPN, they use a region based algorithm 
on safe TPN without oo as latest firing time. Their algorithm is based on the 
one of [AD94] and aim at computing a graph conserving branching properties. 
Nevertheless, the algorithm used to construct the graph seems inefficient (their 
algorithm do code regions) and no result can be exploited to compare with others 
methods. 

Zone Based Algorithm. Another model used to represent timed systems are 
Timed Automaton (TA) introduced by Alur and Dill [AD94]. They intro- 
duce the construction of the state space based on regions, i.e. a representation 
of clocks values using equivalence classes. The state space is built by analyz- 
ing successors of the initial region (forward analysis). Actually efficient forward 
(and backward) algorithms using regions do not code regions but zones, a finite 
convex union of regions because regions suffer of a combinatorial explosions and 
are quite uneasy to manipulate. This method (forward analysis -I- zone) is im- 
plemented in tools like Uppaal [LPY97] or Kronos [Yov97] and is efficiently 
used to model-check CTL or TCTL properties on timed systems. 

Nevertheless, recent works proved the limitations of the data structure used 
to represent zones: Difference Bounded Matrices (DBM). Bouyer [Bon02, 
Bou03] proved that the use of DBM made in the forward algorithm leads to 
an over-approximation of the state-space: some states are said to be reachable 
while, indeed, they are not. 



Contributions 

Our aim is to compute efficiently the state space of a bounded T-TPN in order 
to verify quantitative timing properties. 

The paper is devoted to present a different approach to compute the state 
space of an unsafe bounded T-TPN based on the TA region graph method. 
Although regions encoding is based on the use of zones implemented with DBM, 
the algorithm is proved to be exact with respect to the reachability of a marking. 

In section 2, we first recall the semantics of T-TPN and present the state class 
method and its limitations for model-checking. We propose in section 3 a forward 
algorithm to compute the state space of a bounded T-TPN and prove it is exact 
with respect to the set of reachable markings. We then present in section 4 some 
details on the implemented tool and we give an example of the use of observers 
to check properties on T-TPN. We also compare our tool with a tool using the 
state class method (Tina). Our experimental tests give encouraging results. 
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2 Definitions 

2.1 Time Petri Nets 

Definition 1 (T-TPN). A Time Petri Net is a tuple (P, T, *(.),(.)*, a, /3, Mg) 
defined by: 

— P = {pi,p 2 , ■ ■ ■ ,Pm} is a non-empty set o/ places, 

— T = {^ 1 ,^ 2 , ■ • ■ ,^n} is a non-empty set o/ transitions, 

— *(.): T ^ IN^ is the backward incidence function, 

— {.)* : T —f IN^ is the forward incidence function, 

~ Mq G IN^ is the initial marking of the Petri Net, 

— a : T ^ Q"*" is the function giving the earliest firing time for a transition, 

— /3 : T — > (Q^U{oo} is the function giving the latest firing time for a transition. 

A Petri Net marking M is an element of IN^ such that for all p G P, M (p) 
is the number of tokens in the place p. 

A marking M enables a transition t if the number of tokens in the corre- 
sponding places is greater or equal to the valuation of incoming arcs: M >* ti. 
The set of transitions enabled by a marking M is enabled{M) . 

A transition tk is said to be newly enabled by the firing of a transition ti if 
M —*ti -\- 1* enables tk and M —*ti does not enabled tk- If U remains enabled 
after its firing then ti is newly enabled. The set of transitions newly enabled by 
a transition ti for a marking M is noted | enabled{M,ti). 

V G (]R>o)^ is a vector of clocks valuations. Vi is the time elapsing since the 
transition ti has been newly enabled. 

The semantics of T-TPN is defined as a Timed Transition Systems (TTS). 
Firing a transition is a discrete transition of the TTS, waiting in a marking, the 
continuous transition. 



Definition 2 (Semantics of a T-TPN). The semantics of a T-TPN is defined 
by the Timed Transition System S = (Q,qo,^): 

- Q = JN^ x_(IR>o)^ 

- qo = {Mq, 0) 



—^G Q X (TUM) X Q is the transition relation including a discrete transition 
and a continuous transition. 

• The continuous transition is defined Vd G M>o by: 



{M,v) ^ {M,v') iff 



j v' = v-\- d 
(Vfc G [1, n] 



Vfc G [l,n] M >* tk => v'f. < (}{tk) 



• The discrete transition is defined Wti G T by: 



' M >*U 

M' = M-*U + t' 



(M,v) {M' ,v') iff a{ti) <Vi< fl{ti) 
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2.2 The State Class Method 

The main method to compute the state space of a Time Petri Net is the state 
class method introduced by Berthomieu and Diaz in [BD91]. 

Definition 3 (State class). A State Class C of a TPN is a pair (M,D) 
where M is a marking and D a set of inequalities called the firing domain. 
A variable Xi of the firing domain represents the firing time of the enabled tran- 
sition ti relatively to the time when the class C was entered in. 

The state class graph is computed iteratively as follows. 

Definition 4 (State Class Method). Given a class C = (M, D) and a firable 
transition tj, the successor class C' = {M' ,D') by the firing oftj is obtained by: 

1. Computing the new marking M' = M —*tj + t*. 

2. Making variable substitution in the domain: Vi j, <— x' + Xj. 

3. Eliminating Xj from the domain using for instance the Fourier- Motzkin 
method. 

4 . Computing a canonical form of D' using for instance the Floyd- Warshall 
algorithm. 

In the state class method, the domain associated to a class is relative to 
the time when the class was entered and as the transformation (time origin 
switching) is irreversible, absolute value of clocks cannot be obtained easily. The 
graph produced is an abstraction of the state space for which temporal infor- 
mation has been lost and generally, the graph has more states than the number 
of markings of the TPN. Transitions between classes are no longer labeled with 
a firing constraint but only with the name of the fired transition: the graph is 
a representation of the untimed language of the TPN. 

2.3 Limitations of the State Class Method 

As a consequence of the graph construction, sophisticated temporal properties 
are not easy to check. Indeed, the domain associated to a marking is made of 
relative values of clocks and the function to compute domains is not bijective. 
Consequently, domains can not be easily used to verify properties involving con- 
straints on clocks. 

In order to get rid of these limitations, several works aim to construct a dif- 
ferent state class graph by modifying the equivalence relation between classes. 
To our knowledge, proposed methods [BV03] depend on the property to check. 
Checking LTL or CTL properties will lead to construct different state class 
graphs. 

Another limitation of methods and proposed tools to check properties is the 
need to compute the whole state graph while only the reachability of a given 
marking is needed (safety properties). The graph is then analyzed by a model 
checker. Using observers is even more costly: actually, for each property to be 
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checked, a new state class graph has to be built and the observer can dramatically 
increase the size of the state space. 

In the next section we will present another method to compute the state 
space of a bounded T-TPN. The resulting graph keeps in memory temporal 
information and will allow to test on-the-fly temporal properties. The graph is 
also more compact: it has exactly as many nodes as the number of reachable 
markings of the TPN. 

3 A Forward Algorithm to Compute the State Space 
of a Bounded T-TPN 

The method we propose in this paper is an adaptation, proved to be exact, of 
the region based method for Timed Automaton [AD94, Rok93]. 

First, we define a zone as a convex union of regions as defined by Alur 
and Dill [AD94]. For short, considering n clocks, a zone is a convex subset of 
(IR>o)”. A zone could be represented by a conjunction of constraints on clocks 
pairs: Xi — xj ^ c where {<,<,=,>,>} and c G IN. 

3.1 Our Algorithm: One Iteration 

Given the initial marking and initial values of clocks, timing successors are iter- 
atively computed by letting time pass or by firing transitions. 

Let Mq be a marking and Zq a zone. The computation of reachable markings 
from Mq according to the zone Zq is made as follows: 

— Compute the possible evolution of time (future): Zq. This is obtained by 
setting all upper bounds of clocks to infinity. 

— Select only the possible valuations of clocks for which Mq could exist, i.e. 
valuations of clocks must not be greater than the latest firing time of enabled 
transitions : 



So, Zq is the maximal zone starting from Zq for which the marking Mq exists. 

— Determine the Arable transitions: U is Arable if Zq Cl {xi > Oi} is a non empty 
zone. 

— For each Arable transition ti leading to a marking Mgi, compute the zone 
entering the new marking: 

Zi = {ZQ n {xi > at}) [Xe := 0] , where Ae is the set of newly enabled clocks. 

This means that each transition which is newly enabled has its clock reset. 
Then, Zi is a zone for which the new marking Mqi is reachable. 
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Fig. 1. Time Petri Net with an unbounded number of zones 



3.2 Convergence Criterion 

To ensure termination, a list of zones is associated to each reachable marking. 
It will keep track of zones for which the marking was already analyzed or will 
be analyzed. At each step, we compare the zone currently being analyzed to 
the ones previously computed. If the zone is included in one of the list there 
is no need to go further because it has already been analyzed or it will lead to 
compute a subgraph. 

3.3 Overapproximation on Zones 

An algorithm to enumerate reachable markings for a bounded TPN could be 
based on the described algorithm but, generally, it will lead to a non-terminating 
computation. Though the number of reachable markings is finite for a bounded 
TPN, the number of zones in which a marking is reachable is not necessarily 
finite (see figure 1). 

Let’s consider the infinite firing sequence: (T2tT^)* ■ The initial zone is {x\ = 
0 A X2 = 0 A X3 = 0 } (where Xi is the clock associated to Ti), the initial mark- 
ing Mq = (Pi,P2,^3) = ( 1 , 1 , 0 ). By letting time pass, Mq is reachable un- 
til X2 = I- When X2 = Xi = 1 the transition T2 has to be fired. The zone 
corresponding to clock values is : Zq = {0 < a:i < 1 A a:i — CC2 = 0 }. By firing T2 
and then T3, the net returns to its initial marking. Entering it, values of clocks 
are: = 2 , 0:2 = 0 and X1—X2 = 2 . Indeed, T\ remains enabled while T2 and T3 

are fired and X2 is reset when T3 is fired because T2 became newly enabled. 
Given these new values, the initial marking can exists while X2 < 1 i.e. for the 
zone: Z\ = {2 < x\ < 3 A xi — X2 = 2 }. By applying infinitely the sequence 
(T2, T3), there exists an infinite number of zones for which the initial marking 
is reachable. 

Actually, the number of zones is not bounded because infinity is used as latest 
firing time (Ti). If infinity is not used as latest firing time, all clocks are bounded 
and so, the number of different zones is bounded [AD 94 ]. The “naive” algorithm 
is then exact and can be used to compute the state space of a bounded T-TPN. 
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We will propose a more general algorithm which computes the state space of 
a T-TPN as defined in section 2, i.e. with infinity as latest firing time allowed. It 
will be based on the use of an operator on zones which construct an equivalence 
class. The resulting equivalence class will have a finite number of classes. 

3.4 Approximation 

A common operator on zones is the k-approx operator. For a given k value, the 
use of this operator allows to create a finite set of distinct zones as presented 
in [AD94]. The algorithm proposed is an extension of the one presented in sec- 
tion 3.1. It consists in applying the k-approx operator on the zone resulting from 
the last step. 

This approximation is based on the fact that once the clock associated to an 
unbounded transition ([a, oo[) has reached the value a, its precise value does not 
matter. Using k-approx (with k = a) allows to regroup all zones [a:, oo[,a; > a 
in one equivalence class. 

Unfortunately recent works on Timed Automaton [Bou02, Bou03] have 
proved that this operator generally leads to an overapproximation of the reach- 
able localities of TA. Nevertheless, for a given class of TA (diagonal-free), there 
is no overapproximation of the reachable localities. 

Results of Bouyer are directly extensible for T-TPN and we could assert 
the following theorem: 

Theorem 1. A forward analysis algorithm using k-approx on zone is exact with 
respect to TPN marking reachability for bounded TPN. 

A detailed presentation of the result of Bouyer and the demonstration of 
this theorem is presented in appendix A. 

As the approximation is only needed for T-TPN with infinity as latest firing 
time, the following theorem can be asserted: 

Corollary 1. For a bounded T-TPN without infinity as latest firing time, a for- 
ward analysis algorithm using zones computes the exact state-space of the T- 
TPN. Proof is given in appendix A. 



4 The Tool: Mercutio 

4.1 Presentation 

We have implemented the algorithm to compute all the reachable markings 
of a bounded T-TPN using DBM to encode zones. The tool implemented 
(Mercutio) is integrated into Romeo [RomOO], a software for TPN edition 
and analysis. 

As boundedness of T-TPN is undecidable, Mercutio offers stopping criteria: 
number of reached markings, computation time, bound on the number of tokens 
in a place. 
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Table 1. Tina 2.5.1 - Mercutio (Pentium II, 400 MHz, 256Mb) 



Time Petri Net 


TPN 

(places / trans.) 


Tina 


Mercutio 


Example 1 (oexl5) 


16 / 16 


10.5 s 


1.4 s 


Example 2 (oex7) 


22 / 20 


30.5 s 


2.4 s 


Example 3 (oex8) 


31 / 21 


29 s 


2.4 s 


Example 4 (P6G7) 


21 / 20 


31.6 s 


8.5 s 


Example 5 (PIOGIO) 


32 / 31 


4.2 s 


1.8 s 


Example 6 (landing gear) 


107 / 101 


18 min 27 s 


27.8 s 


Example 7 (Gate Gontroller - 3 trains) 


20 / 23 


2 s 


il s 


Example 8 (Gate Gontroller - 4 trains) 


24 / 29 


3 min 8 s 


9 s 



4.2 Performances 

We have compared our tool with Tina [BV]. Tina is developed by Berthomieu 
and it is the most efficient tool we know for the state class construction of a TPN. 
The results are given in table 1. We used the last stable version Tina (2.5.1). 
Though the method is not the same, it can give a time reference to compute all 
reachable markings of a T-TPN. 

Examples 1 to 5 come from real-time systems (parallel tasks [1], periodic 
tasks [2-3], producer-consumer [4-5]). Example 6 is a larger system representing 
a simplified landing gear, it counts 107 places and 101 transitions. It is a T-TPN 
representation of a landing gear case study published in [BC02]. Examples 7 and 
8 are the classical level crossing example (3 and 4 trains). 

For this set of examples and for all nets we have tested, our tool performs 
better than Tina. 

4.3 Reachability Analysis Observers 

TPN observers are a method to model check TPN. It consists in adding to the 
Petri Net places and transitions to model the property to check. The property is 



A P3 ^3(1 3] OCCUR 




Fig. 2. Example of a TPN and an observer (dash point) 
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transformed in testing for the reachability of a given marking. Then, as for the 
construction of the state class graph, it is possible to check properties on TPN 
with observers. 

In [TST97], the authors present generic observers to model properties like 
absolute or relative time between the firing of transitions, causality or simul- 
taneity. 

Let’s consider the net of figure 2. It represents a simple TPN and an observer 
in dash point. The observer allows to check the property: “2 successive occur- 
rences of T 3 always append in less than 4 time units” . The property is false if 
a run such that the place FALSE as a token exists. 

By constructing the state space and look for a run with a token in FALSE 
allows to conclude that the property is false. 

Generally there is no need to compute the whole state space: the algorithm 
can be stopped at the first marking verifying a property. In its current release, 
Mercutio can perform an on the fly analysis of the TPN. Providing a set of 
constraints on reachable markings, Mercutio will stop at the first marking 
verifying constraints provided. 

5 Conclusions 

In this paper we proposed an efficient method based on the region graph ap- 
proach to compute the state space of a bounded T-TPN. The implemented algo- 
rithm computes the graph of reachable markings by the use of zones coded with 
DBM, and we proved it is exact with respect to reachability. Tests on several 
examples show that our implementation is faster than the most efficient tool we 
know to compute the state class graph (Tina). 

Nevertheless, observers are still a not easy way to model-check a Petri Net. 
For each new property an observer has to be built and then the state space 
has to be computed. As the exact state space is computed by our method for 
a bounded TPN without infinity as latest firing time, we are involved in realizing 
an on-the-fly TCTL model-checker. Despite the overapproximation issue for TPN 
with infinity as latest firing time, we think possible, by choosing an appropriate 
parameter for the approximation, to perform model-checking. 

It could also be possible to improve Mercutio performances (memory needs) 
by using compacter data structures. Though DBM is an efficient way to represent 
zones, several works offers data structures based on Binary Decision Diagram 
(CDD, RED, CRD) to minimize memory needs. We are currently working on 
such improvements. 
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A Proof of Theorem 1 and 2 

The proof of the theorem is a consequence of works of Bouyer on Timed Au- 
tomaton. 

A.l Timed Automaton and Overapproximation. 

In [Bou02, Bou03] the author presents an exact algorithm with respect to reach- 
ability for Timed Automaton using an operator called Closurck- Then, it is 
proved that the operator k-approx, commonly used on DBM, leads to a zone 
included in Closurck- The operator Closurck has the same aim that k-approx, 
it divides the clock space into a finite number of regions so that the computed 
number of zones is finite. 

Let A be an updatable timed automaton and k the greatest constant ap- 
pearing in constraints on clocks of A. TZk is a finite set of regions as defined 
in [BDFPOO] (similar to region’s definition of Alur and Dill in [AD94]). 

The operator Closurck is defined by: 



where is a conjunction of diagonal-free constraints on clocks and upi^ a func- 
tion assigning values to some clocks. Diagonal-free constraints are constraints 
which do not involved comparisons between clocks, constraints are only of the 
form: ~ n, n € IM, {<,<,=>, >}. 



Ml is the exact zone computed which results from a sequence of transi- 
tion ii, . . . An- M 2 is the zone computed by a forward algorithm using Closurek- 
Using properties on Closurek, it is proved that M\ C M 2 C M 3 . Precisely, 
if Ml is empty then Closurek (Mi) is also empty and then, M 2 is also empty. 
An algorithm using Closurek as operator is exact with respect to reachability. 

Nevertheless, it is not easy to compute Closurek and DBM is known to be 
an efficient data structure to perform operations on zones. 

It is then proved that for any zone Z, 



Closurek (Z) = U {R G TZk | i? H Z yf 0} 



Let: 




Post[^{Z) = Postif, {Closurek {Z)) 



Let: 



Ml = Postil o Posti^_^ O • • • O Postil {Z) 
M 2 = Post{^ o Post{^_^ o ■ ■ ■ o Post{^ (Z) 
M 3 = Closurek {Ml) 



Z C k-approx {Z) C Closurek {Z) 
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k-approx is computed by replacing in the DBM all values greater than k by 
oo and all values lower than —k by —k. 

Consequently, any algorithm using k-approx is also exact with respect to 
reachability for Updatable Timed Automata with diagonal-free constraints. The 
proof of this theorem is mainly based on the fact that constraints appearing in 
automaton are diagonal- free. 

A. 2 Reachability of a Marking for a TPN Using DBM. 

Theorem 1. A forward analysis algorithm using k-approx on DBM is exact with 
respect to TPN marking reachability for bounded T-TPN. 

Proof. We will prove that operations on zones needed are a subset of the ones 
described in [Bou02, Bou03]. Indeed, we choose k as: 

k = Max (max (a (ti))^,^j , , max ((3 (ti))^.^j.^ 

The reset function is a particular case of the update function and the 
intersection we made on zones are intersection with diagonal-free constraints. 
Actually, we intersect each clock with the value of the latest firing time of the 
associated transition. Thus, operations on zones for TPN verify the hypothesis 
of the demonstration presented in [Bou02, Bou03]. □ 

Corollary 1. For a bounded T-TPN without infinity as latest firing time, a for- 
ward analysis algorithm using zones computes the exact state-space of the T- 
TPN. 

Proof. As infinity is not used as latest firing time, all clocks are bounded and 
so, the number of different zones is bounded [AD94] . The state space computed 
is then exact. 
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Abstract. We present a process algebra suitable to the modelling of 
timed concurrent systems and to their efficient verification through model 
checking. The algebra is provided with two consistent semantics: a struc- 
tural operational semantics (as usual for process algebras) and a deno- 
tational semantics in terms of Petri nets in which time is introduced 
through counters of explicit clock ticks. This way of modelling time has 
been called causal time so the process algebra is itself called the Causal 
Time Calculus (CTC). It was shown in a separate paper [3] that the 
causal time approach allowed for efficient verification but suffered from 
a sensitivity to the constants to which counts of ticks are compared. We 
show in this paper how this weakness can be removed. 



1 Introduction 

This paper presents a process algebra in which the representation of timing 
constraints can be explicitly included. With respect to the many such models 
already defined (a short comparison is given in the conclusion), our contribution 
is: first, to provide a concurrent semantics instead of the interleaving generally 
used; second, to propose a multiway communication scheme; and third, to give 
a way through which efficient model checking can be performed. We thus de- 
fine a structural operational semantics (SOS), explicitly including concurrency, 
through SOS rules in Plotkin’s style [17]; then a consistent denotational seman- 
tics is given by a transformation from process terms to Petri nets on which dedi- 
cated verification techniques may be applied [8] . The involved class of Petri nets 
consists in composable, labelled and coloured nets in which time is introduced 
by explicitly modelling clocks and counters of clock ticks. This is sometimes 
called the causal time approach and thus, our algebra is called the Causal Time 
Calculus (CTC). It is worth noting that CTC is actually a descendant of the 
Petri Box Calculus [2] and inherits, in particular, a large part of its syntax, the 
multiway communication scheme and the concurrent semantics. 

A case study [3] made a comparison between the causal time approach and 
timed automata [1]; it turned out that the verification of Petri nets with causal 
time using a general model checker for high-level Petri nets (MARIA [13]) was 
more efficient than the verification of timed automata using well known tools 
(Kronos [20] and UPPAAL [12]). The approach in [3] was to translate timed 
automata into the closest possible Petri nets, without any special optimisation. 
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Indeed, an important concern was to avoid a biased comparison. Thus, even if 
one case study does not allow for any conclusion, this result is very encouraging. 
However, the causal time approach suffers from a sensitivity to the constants to 
which ticks counters are compared. The size of the state space actually depends 
on the product of the largest constants compared to each counter. If one uses k 
counters, each compared to a value n, one gets states only to represent the 
timing information. We show at the end of this paper that this problem can be 
removed by identifying states which differ by the values of the ticks counters 
but are otherwise identical, i.e., lead to the same evolutions. This is very similar 
to the notion of regions developed for timed automata [1] and allows to use 
verification techniques based on the concurrent semantics of Petri nets [8] which 
are generally much more efficient than those based on the interleaving semantics 
(as in MARIA). The benefits is thus twofold: first, to remove the sensitivity to 
constants, and second, to improve the good performances obtained in [3]. 

The next section defines the algebra of terms and its operational semantics. 
The section 3 presents the Petri nets, called boxes, used to define the denotational 
semantics and gives the transformation from process terms to boxes. These two 
sections form an extended abstract of the technical report [18] which provides 
the full definitions, properties and proofs. The section 4 addresses the question 
of the verification of boxes and is a completely new contribution. We conclude 
in the section 5 and briefly compare CTC to other timed process algebras. 

2 CTC Terms: Syntax and Operational Semantics 

Communication. We assume that there is a set A of actions used to model 
handshake communication. We also assume that r ^ A and that, for every a € A, 
a is also an action in A such that a = a. A multiaction is a finite multiset of 
actions and we denote by {} the empty multiaction. 

Communication in CTC generalises the synchronisation of CCS [16] (allowed 
by the parallel composition) followed by the restriction (which forbids the inde- 
pendent execution of synchronised actions). This is formalised through the par- 
tial functions ifsca, for a G A, which map the multisets of multiactions allowed to 
handshake to the multiactions resulting from the communication. For instance, 
(fiscal is such that its domain contains T = {{oi, oi, 02}, {di, 03}, {di}}, which 
denotes that the multiactions of T may perform a three-way synchronisation. 
The multiaction corresponding to this communication is given by i^scai(A) = 
{o2, 03}. On the contrary, {{ai, 02}, {02}} is not in the domain of (fiscal because 
the multiactions {01,02} and {02} cannot handshake. 



Clocks. The progression of time will be reflected on clocks which are nonnega- 
tive integer variables that can be tested or updated by the processes. We denote 
by N the set of natural numbers. The set C of clocks is finite and we assume 
that there exists a function max : C — > N \ {0} which gives the maximum value 
allowed for each clock. This allows to specify deadlines, i.e., time boundaries 
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within which a process completes [7]. Time progresses when a tick occurs in- 
crementing simultaneously all the clocks, which is forbidden when at least one 
clock has reached its maximum. Notice that we require max(c) > 0 for all c € C, 
otherwise no tick could ever occur, resulting in an untimed model. 

A clock vector is a partial function 0 : C — > N such that for all c £ dom(0), 
0(c) < max(c). Such a mapping associates its current value to each clock c in 
its domain, i.e., the number of ticks which occurred since the last reset of c. 
We denote by V the set of all clock vectors. For 0i and 02 in V such that 
dom(0i) n dom(02) = 0, we denote by 0i -I- 02 the clock vector whose domain is 
dom(0i) Udom(02) and which is equal to 0\ on dom(0r) and to O2 on dom(02). By 
extension, writing 0i -|- 62 will implicitly imply that the domains of 0i and 02 are 
disjoint. In the following we denote by 0(e) the evaluation of the expression e 
in which the clocks have been replaced by their values as specified by 0. For 
instance, if 0(c) = 3 then we have 0(c -I- 1) = 4. 

Clocks vectors will be handled through clock expressions, attached to the 
atomic process terms, which are sets of expressions of two kinds: comparisons 
(for instance ci -I- C2 > 3), used to specify a condition under which an atomic 
process may be executed; and assignments (for instance ci := C2-I-I) which allow 
to change the value of a clock. It is required that a clock expression S contains 
at most one assignment for each clock in C. A particular clock expression will 
be used in the following to represent the occurrence of a tick: <5^ = {c := c -I- 1 | 
c € C}. We say that a clock vector 0 enables a clock expression 6 if (1) all 
the clocks involved in 6 belong to the domain of 0, (2) all the comparisons in 6 
evaluate to true through 0, and (3) all the assignments c := e in S are such that 
0(e) < max(c). In such a case, applying to 0 all the assignments specified in S 
leads to a new vector which is denoted S{6). 

Syntax. The syntax of CTC is given in the figure 1. We distinguish static terms, 
denoted by E, which cannot evolve, from dynamic ones, denoted by D, where 
the current state of the execution is represented by overbars (initial state) and 
underbars (final state) which may flow through the terms during their execution. 
We denote by F" a static or dynamic term. 

The atomic terms are of the form aS where a is a multiaction and S is 
a clock expression. Consider for instance the two atomic terms {oi,a2}{} and 
{ai}{c2 > 0,C2 := 0}. The first one denotes the simultaneous receiving of the 
signal ai and sending of the signal 02, which is untimed; the second one can send 
the signal oi and reset the clock C2 if the value associated to C2 is greater than 
zero. Various operators allow to combine terms: 



E aS I A sc a I E\\E \ E°^E \ EUE\E®E\E@6 
D - E I E I D sc a I D\\D \ D E \ E D 

I DDE] EaO\ D®E\ E®D\ D@e 



Fig. 1. The syntax of CTC terms, where aS is an atomic term, a £ A and 0 G V 
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— the sequential composition F\ , F 2 {F\ is executed first and followed by F 2 ) 
may be seen as a generalisation of the prefixing operator used in CCS; 

~ the choice Fi □ F 2 (either F\ or F 2 may be executed) corresponds to the 
choice of CCS; 

— the parallel composition -Fi|ji ^2 (^1 and F 2 may evolve concurrently) differs 
from that used in CCS since it does not allow for synchronisation; 

— the iteration F\ @ F 2 {F\ is executed an arbitrary number of times and is 
followed by F 2 ) allows to represent repetitions while in CCS the recursion 
would be used; 

~ the scoping F sc a (all the handshakes involving a and a are enforced) was 
discussed above. 

In order to model the clocks, terms are decorated with clock vectors. For instance, 
we may form {a}{c := 0} @ {c 1 — > 5} denoting that the clock c has value the 5 
for the atomic term {a}{c := 0}. 

Operational Semantics. An important part of the operational semantics relies 
on equivalence rules allowing to identify distinct terms which actually correspond 
to the same state. Formally, we define = as the least equivalence relation on terms 
such that all the rules in the figure 2 are satisfied. Consider for instance the rule 
IS2: it states that having the first component of a sequence in its final state is 
equivalent to have the second component in its initial state, which is indeed the 
expected semantics of a sequential composition. 

Contrasting with CCS where evolutions are expressed by removing prefixes 
of terms, like in a.P — ^ P, the structure of CTC terms never evolves; instead, 
the overbars may be changed to underbars as in 

{a}{c := 0} @ {c 5} ^ {o}{c := 0} @ {c 1 — > 0} 

which produces the timed multiaction ({a},{c 1 — > 5}) denoting the occurrence 
of {a} when the clock c had the value 5, while the reset c := 0 has been re- 
flected on the new clock vector. In order to have a concurrent semantics, sev- 
eral timed multiactions may be combined, denoting their concurrent occurrence. 
Given Pi and P 2 two multisets of multiactions and 0i,02 € V having disjoint 
domains, Ai = (Pi,0i) and A 2 = (P 2 ,^ 2 ) are timed multisets of multiactions 
and Ai A 2 = (Pi -I- P 2 , 0i 02 )- 

Then, we define a ternary relation > as the least relation comprising all 

(P, A, P') where P and P' are terms and A is a timed multiset of multiactions, 

such that the rules in the figure 3 hold. Notice that we use P *■ P' to denote 

(P, A, F') G *■. When used with o = ||, the rule eop is the way through which 

true concurrency is introduced. When used with another operator, the syntax 
ensures that at most one of A\ or A 2 has a nonempty multiset of multiactions 
since at least one of the operands must be a static term. In these cases, the rule 
EOP shall be used in conjunction with eqi in order to compose a static term 
with a dynamic one. Concerning the rule etick, it should be noted that the side 
condition “9 enables 5^” implies that dom(0) = C; thus the occurrence of a tick 
always simultaneously increments all the clocks. 
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EX 


E = E' 
E = g_ 


ENT 


E = E' 
E = E' 


CONI 


F = F' 


CON2 


Fi = FiF 2 = Fi 


F sea = F sea 


A 0 A = F[ 0 F2 


ISCl 


E sea = E sea 


ISCl 


E sea = E sea 


IPARl 


-Ei||i?2 = -E1II-E2 


IPAR2 


-EiljA = All A 


ICIL 


El CH E2 = El CH E2 


IC2L 


El CH E2 = El CH E2 


ICIR 


El CH E2 = El CH E2 


IC2R 


El CH E2 = El CH E2 


ISl 


Ill 


IS2 


El ? A = El 5 A 


IS3 


El 9 E2 = El g E2 


IITl 


El ® E2 = El ® E2 


IIT2 


El ® E2 = El ® E2 


IIT3 


El ® E2 = El ® E2 


IIT4 


El ® E2 = El ® E2 
F = F' 


IIT5 


El @ El = El ® E2 


I ATI 


IAT2 


E@ 9 =E @9 


F @9 = F' @9 


IAT3 


E @9 = E @ 9 


IAT4 


(Esca)@ 0 = (E@ 0 ) sea 


IAT5 


(A 0 A) @(01 +02) = 


{El @ 61) 0 {E2 @ ^2) 



Fig. 2. Similarity relation, where a G A, o G {|| , 5, □, ®} and {6, 0 i, 62} C V 



EQl 

EQ2 


p p 

F = F' , F' ) F" , F” = F"' 


F ^ : F'" 

p A, Si), p! 


EAT 


E @ 02 p' @ 02 


EA 


a5@5{9) 


ETICK 


F @9 F' @9 


p@e E' @ A(0) 


ESC 


p (A,ei)+---+(Tfc,Sfc)^ p, 


JP (Vsca({A,---,A}).SlH hS|c) 

F sea 


EOP 


El A' , F2^Fi 


El 0 E 2 -^1±% E{ 0 E{ 



where dom(00) = 0 



if 9 enables 5 
if 9 enables 5 t 

if T does not appear in 
any T; and {A, . . . , A} G 



dom(tpsca) 



if T does not appear in Ai 
neither in A2 



Fig. 3 . Evolution rules, where aS is an atomic term, {6,01,02,00} C V, a G A, 
o G (II, 9, D,®} and assuming that all the applications of + are well defined 
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3 Denotational Semantics 

The Algebra of Boxes. We start by introducing the labelled coloured Petri 
nets called boxes and the operations used to compose them. These operations 
exactly correspond to those defined on terms: for each operator on terms, there 
exists a similar operator defined on boxes. 

The labelling of boxes allows to distinguish the entry, internal and exit places; 
all together, they are called the control places since their role is to represent the 
current state of the control flow. The marking of the entry places corresponds 
to the initial marking of a box and thus we define N as the box N in which 
one token is added to each entry place. Similarly, the exit places correspond to 
the final marking and A is defined as expected. The internal places correspond 
to intermediate states during the execution of a box. Except for the scoping, 
the operators of CTC are also based on the labels of places. For instance, the 
sequential composition Ni ^ N 2 is defined by combining the exit places of Ni 
with the entry places of N 2 , resulting in internal places whose marking represent 
both the final marking of Ni and the initial one of N 2 . 

Another class of places is distinguished thanks to their labels, these are the 
clock places in which clock values are modelled. A box has exactly one clock place 
labelled by c for each c S C. When several nets are combined, for instance using 
the parallel composition, clock places with the same label are automatically 
merged (with their markings) ensuring a unique representation of each clock. 
While the control places are only allowed to carry the ordinary black token •, 
each clock place may carry any integer from N. Thus, the clock places are the 
only coloured ones. 

The labelling of an arc consists in a multiset of values, variables or expressions 
which represents the tokens flowing on the arc when the attached transition is 
executed. 

The labelling of a transition contains a multiaction as in atomic terms. This 
allows to define the scoping w.r.t. a G A whose role is to merge sets of transi- 
tions whose labels «i, . . . , ak belong to the domain of y:>sca, the newly created 
transition being labelled by ipsca{{oii, ■ ■ ■ ,Oik})- Transitions are also labelled by 
guards (boolean conditions involving the variables used in adjacent arcs) which 
must evaluate to true in order to allow the execution of the transitions. When 
this occurs, the variables in the guard and the adjacent arcs are associated to 
values through a binding a and we denote by to- the occurrence of t under the 
binding a. 



From Terms to Boxes. Let a6 be an atomic term, its denotational semantics 
is given by the box N^s defined as follows. Its places are: one entry place Se, one 
exit place Sx, and one clock place Sc labelled by c for each c G C. The marking 
is empty for the control places and {0} for the clock places. The box has one 
transition t labelled by {T}(/\^g£.c < max(c)) which models the tick and, for 
each c G C, there is one arc labelled by {c} from Sc to t and one arc labelled 
by {c+ 1} from t to Sc- There is also one transition u labelled by 07 , where 7 
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is the disjunction of all the comparisons in S (or true if there is no comparison 
in S), which models the atomic action ad. This transition u has one incoming 
arc from Sg labelled by {•} and one outgoing arc to Sx with the same label. The 
other arcs on u correspond to the clocks involved in <5; for all c G C: 

~ if c appears in 6 in comparisons only, then there is one arc from Sg to u 
labelled by {c} and one arc from u to Sg with the same label; 

— if c appears in S in an assignment c := e, where e is an expression, then there 
is one arc from Sg to u labelled by {c} and one arc from u to Sg with the 
label {e}; 

~ if c does not appear in <5 then there is no arc between Sg and u. 

The denotational semantics is then defined by induction: 

box(a<5) = NaS box(iJ) = box(iJ) box(^) = box(£’) 

box(F sc a) = box(F) sc a box(Fi o F 2 ) = box(Fi) o box(F2) 

where aS is an atomic term, a € A and o G {||,5,D,@}. Moreover, for 0 G V, 
box(F @ 9) is box(F) in which the marking of each clock place labelled by c G 
dom(0) is set to {0(c)}. For example, assuming C = |c} and max(c) = 4, the 
box on the left of the figure 4 is 



The operational and denotational semantics are closely related: they are actu- 
ally consistent in arguably the strongest sense since a term and the corresponding 
box generate isomorphic transitions systems. 

4 Verification through Unfoldings 

A well known technique to perform efficient model checking on Petri nets is to 
use their concurrent semantics expressed by prefixes of their unfolding which 
are also Petri nets, see [8]. The traditional definition of unfoldings is based on 
low-level Petri nets, but it was shown in [10] that coloured Petri nets like boxes 
may be unfolded as well (producing a low-level net). An example of a box and 
a prefix of its unfolding is given in the figure 4. 

In the unfolding, places are called conditions and are labelled by the name and 
the marking of the place to which they correspond in the original net; similarly, 
transitions are called events and correspond to the transition occurrence which 
labels them. The labelling function is an homomorphism and will be denoted 
by h in the following. In the figure 4, this labelling is indicated inside the nodes 
and is simplified: a condition labelled by an integer n denotes the presence of n 
in the place Sg and conditions labelled by si, S 2 or S3 denote the token • in the 
corresponding place. 

An unfolding may be executed by putting one token in each condition with no 
predecessor. One can check on the example that this allows to perfectly mimic the 
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Fig. 4. The box of {ai}{c := 0} 9 {a 2 }{c > 2} (on the left) and a prefix of its unfolding 
(on the right), where at = {c 1 -^ i} for 0 < i < 4; assuming C = {c} and max(c) = 4 



behaviour of the original net. Notice that, when the pairs of conditions depicted 
with double lines become marked, the execution may be continued from the 
conditions depicted with thick lines. Indeed, these double-lined pairs are cuts 
where the unfolding have been truncated since the corresponding markings were 
already represented by the thick-lined pair of conditions. This allows to consider 
only prefixes of the full unfolding which may be itself infinite (if the net has an 
infinite run). Such a prefix is complete (w.r.t. reachability properties) if every 
reachable marking of the original net is represented in the prefix. This guarantees 
that reachability properties can be verified on the prefix rather than on the 
original net. 

The notion of completeness actually depends on the properties that should 
be verified. Usually, those related to reachability are considered, but different 
ones may be envisaged like in [9]. In our case, if only control flow properties 
have to be verified on a box, the occurrences of ticks and the markings of clock 
places could be removed from the unfolding of this box. In the following, we 
present an intermediate simplification which keeps some timing information but 
without its full precision: it will not be possible to exactly know the values of the 
clocks when an event occurs; instead, we will obtain a range of possible values. 
Moreover, in the simplified unfolding, an event labelled by an occurrence of the 
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tick transition will denote that “time is passing” instead of the more accurate 
“one tick occurs” . 



Simplification of Unfoldings. We now show how to collapse chains of ticks 
(as, e.g., at the bottom-right of the figure 4) thus removing the sensitivity of 
model checking to the constants used in clock expressions. It should be stressed 
that, for practical applications, the transformation described below should be 
applied on-the-fly during the computation of the unfolding; but, the principle 
being independent of the algorithm actually used, we prefer the current presen- 
tation. 

Let X be an event or a condition, we denote by *x the set of nodes immediately 
preceding x and by x* those immediately succeeding x. This notation naturally 
extends to sets of nodes. For a set E of events, we denote by trans(if) the multiset 
of transitions involved in E, i.e., 

trans(if) = ^ {ic} . 

eGEAh{e)—Wfj 

To start with, we change the labelling of conditions to triples {s,p, q) where s 
is a place of the original net and p, q are integers such that 0 < p < q. If s is 
a control place, this label indicates that the condition corresponds to s marked 
by •; but if s is a clock place, the condition corresponds to the place s whose 
marking is any integer in {p , . . . , g}. So, the labelling is changed as follows: for 
each condition which corresponds to the marking of the control place s, the 
label becomes (s,0,0); for each condition which corresponds to the marking of 
the clock place s' by the integer n, the label is changed to (s', n, n). 

Then, we consider an event e labelled by an occurrence to- of the tick tran- 
sition. We call e a tick event. One can show that, if *e = {ci,...,Cfc} with 
h{ci) = (si,pi,qi) for 1 < * < fc, then, because the tick transition is connected to 
clock places through side loops (and not connected to any other place), we must 
have e* = {c'l, . . . , c'^,} and /i(c') = {si,A, g') for 1 < i < k. We distinguish two 
sets of events: E = (*e)* which contains all the events in conflict with e (includ- 
ing e) and E' = (e*)* which contains all the events enabled by the occurrence 
of e. Then, if trans(if) = trans(if'), it means that the tick do not change the 
enabling in the net (it may change the bindings but not the transitions which 
are enabled). So, e is removed and the conditions in e* are merged to those in *e. 
Each condition c' (whose label is (si,Pi,g()) is merged to the corresponding a 
(labelled by (si,pi,qi)) as follows: 

— the condition c' is removed and the label of Ci is changed to {si,pi, g'); 

— each tick event e' S E' becomes a successor of cp, 

— each non tick event e' G E' is removed as well as all its successors nodes. This 
allows to remove branches which were already possible before the occurrence 
of the tick. 

This simplification step has to be repeated iteratively for all the tick events. 
We already remarked that, during each step, for 1 < i < k, Ci G E and c' S E' 
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Fig. 5. On the left, the prefix generated using the first method, and on the right, using 
the second one. The bindings are no more relevant and thus not indicated 



are such that h{ci) = {si,pi,qi) and One can now show that 

we also have pj = + 1 and that this remains true after some tick events have 

been removed. It may also be shown that the order in which tick events are 
considered has no influence on the final result. 

By applying this transformation, we obtain the prefix given on the left of the 
figure 5, notice that some conditions are now labelled by lists or ranges of integers 
when they correspond to several possible markings of Sc- One can see that the 
left part of the original prefix have been simplified and that the only remaining 
visible tick is the one which leads to have 4 in Sc thus disabling any further tick. 
Similarly, the right branch was also simplified and the two remaining occurrences 
of V correspond to the two following situations: both v and t are enabled; or, 
only V is enabled. 

It may be considered that too much information is still present in the prefix. 
In particular, one can distinguish between states from which tick can or cannot 
occur, which is an information only related to our particular modelling of time. 
In order to simplify again, we can use the same transformation scheme but, 
instead of removing a tick event when trans(£') = trans(£’'), we use the weaker 
condition trans(£'/r) = trans(£’'/r) where X/t is X from which all the tick 
events have been removed. This new criterion leads to the prefix given on the 
right of the figure 5 in which the only remaining tick event denotes that time 
must pass. All the situations in which time only may pass have been hidden. 
Choosing one or the other criterion depends if one wants to always know when 
ticks are possible or not. But, in both cases, we achieved our goal which was to 
remove the sensitivity to constants. 
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5 Conclusion 

We defined a process algebra with multiway communication and timing feature 
through clocks directly handled. This model, the Causal Time Calculus (CTC), 
was provided with a structural operational semantics as well as with a consistent 
denotational semantics in terms of labelled coloured Petri nets. These nets use 
the so called causal time approach to the modelling of time which was shown 
in a previous paper [3] having the potentiality for efficient verification but suf- 
fering from a sensitivity to the constants compared to clocks. An important 
contribution of this paper was to show how to remove this weakness. 

As an extension of the Petri Box Calculus (PBC) [2], CTC is similar to 
the approach in [11] where the author extends PBC with time using time Petri 
nets [15] for the denotational semantics. A similar result is also obtained in [14] 
where timed Petri nets [19] are used. It should be noted that, in both cases, 
the model checking of the underlying models is known to be much less efficient 
than that of standard Petri nets. This makes an importance difference with 
CTC for which the efficiency of the verification was a major concern. Moreover, 
we introduced time through explicit clocks directly handled by the processes 
which is known to be useful for modelling timed systems (this is indeed the 
scheme used in timed automata). Among process algebras not related to PBC, we 
should distinguish ARTS [6, chap. 5] which has been designed in order to denote 
timed automata while CTC denotes Petri nets; ARTS thus provides continuous 
time while CTC uses discrete time. Another difference is that the operational 
semantics in ARTS is used to give a translation from terms to automata while 
in CTC it is independent of Petri nets (even if both semantics are consistent). 
It finally appears that both algebras may be complementary as they denote 
objects on which model checking can be performed efficiently. Which one to use 
in which case is still a topic for future research. Concerning the other process 
algebra with time (for instance those based on CCS, see [5]), it may be remarked 
that most of them also use ticks to model the passing of time. However, they 
generally consider an interleaving semantics of parallelism while CTC considers 
true concurrency and most of these algebras do not provide multiway as in CTC. 

Several extensions to the model presented here can be envisaged, in partic- 
ular: actions with parameters, allowing to exchange data during handshakes; 
buffered communication, allowing to model program variables; and guards, al- 
lowing to specify conditions under which an atomic process may be executed. 
Incorporating these features should be straightforward since they are already 
defined in several extensions of PBC (in particular in [4]). Another extension 
would be to allow the maximum values of clocks to be changed dynamically. 
This must be addressed carefully in order to guaranty that either a finite prefix 
of the unfoldings can always be found or methods dedicated to infinite state 
spaces can be used. 

Last but nor least, an in-depth study of the unfolding simplification proposed 
here appears necessary in order to know exactly what is its influence on the 
properties which can be verified: which one are preserved and which one are 
hidden. One way to reach this goal is to define a timed temporal logic in order to 
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specify properties which could then be verified automatically. The more complete 
this logic will be, the more we will know about the properties preserved by our 
unfolding simplification. 
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Abstract. We present ELSE, a new state generator for timed automata. 
ELSE is based on VERIMAG’s IF-2.0 specification language and is de- 
signed to be used with state exploration tools like CADP. In particular, 
it compiles IF-2.0 specifications to C programs that link with CADP. It 
thus concentrates on the generation of comparatively small state spaces 
and integrates into existing tool chains. The emphasis of the ELSE de- 
velopment is on fundamentally different data structures and algorithms, 
notably on the level of zones. Rather than representing possible values 
of clocks at a given symbolic state, event zones represent in an abstract 
way the timing constraints of past and future events. 



1 Introduction 

Timed automata [AD94] are a powerful tool for the modeling and analysis of 
timed systems. They extend classical automata by clocks, continuous variables 
“measuring” the flow of time. A state of a timed automaton is thus a combi- 
nation of its discrete control locations and the clock values taken from the real 
domain. While the resulting state spaces are infinite, clock constraints have been 
introduced to abstract the state spaces to a finite set of equivalence classes, thus 
yielding a finite (although often huge) symbolic state graph on which reachability 
and some other verification problems can be resolved. 

While the theory, algorithms and tools like IF/Kronos [BFG"''99] and Up- 
paal [LPY95] for timed automata represent a considerable achievement, they 
suffer for various reasons from combinatory explosion which still limits their 
applicability in practice. A great effort has been invested into optimization of 
representations of clock constraints, e.g. [DY96, BLP+99]. 

ELSE, developed at the Laboratoire d’Informatique Fondamentale in Mar- 
seille, is a new state generator - engine of algorithmic analysis - for timed au- 
tomata incorporating alternative semantics that may allow certain partial order 
reduction approaches. ELSE is designed to be compatible with IF [BFG+99], no- 
tably the IF-2.0 specification language, for which it implements a new semantics 
allowing state space reduction with respect to parallelism while preserving reach- 
ability properties: The components of a parallel system (like networks of commu- 
nicating transition systems) can sometimes progress independently, sometimes 
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interact. Basic verification techniques rely on an interleaving approach, where 
global states are tuples of local states. The resulting global transition systems 
can have a very redundant structure (which is responsible for the state explo- 
sion) including so called diamonds, pairs of commuting transitions that can be 
executed in either order leading to the same state. Partial order reduction tech- 
niques [Pel93, God96] together with their tools (e.g. SPIN) give an answer to this 
phenomenon in reducing the search space based on this redundancy for discrete 
systems. 

Partial Order Semantics for Timed Automata. A natural question is the 
applicability of partial order reductions to networks of timed automata. However, 
as has been observed by several authors, the standard interleaving semantics 
combined with symbolic states via clock constraints results in transitions that 
do not commute. Several kinds of answers have been given to this problem: 
Adapt persistent set method [YS97]; Define a local time semantics [BJLY98, 
Min99]. In [DT98], the authors starts adapting the notion of equivalence classes 
of transition sequences in timed automata. 

This approach followed by ELSE is formally defined in [LNZ03]. Basically, 
the chosen semantics relaxes constraints between independent components (au- 
tomata and clocks) so that diamonds are almost preserved. The termination 
and bound on the number of symbolic states, a problem known from [B.JLY98, 
Miii99], is ensured by a symbolic state equivalence relation, which allows us to 
explore just one state of an equivalence class. The equivalence is closely related 
to well known abstractions on clock constraints in classical timed automata, but 
the use is radically different: Rather than modifying/abstracting states during 
exploration, states with an already explored equivalent state are cut. This guar- 
antees that The price for this guarantee, that our symbolic transition systems 
are not bigger than those resulting from the classical approach, but that com- 
pared to [B.1LY98, Min99], we do not preserve full commutation and partial 
order reductions cannot be applied naively. 

But partial order reduction is not the only concern about the alternative 
semantics. As we will indicate, classical semantics suffers from a state splitting 
phenomenon (equivalent discrete paths lead to incomparable symbolic states), 
which we can avoid with the alternative semantics. 

2 Scope and Architecture of ELSE 

The generator ELSE is a tool to automatically translate a description of a net- 
work of timed automata in the IF syntax to C code providing a data structure 
for the symbolic states as defined in [LNZ03] , and a mechanism to compute sym- 
bolic transitions from a given symbolic state. These elements can then be used 
by tools for exploring a symbolic reachability graph, CADP in particular. ELSE 
thus remains just one, yet a crucial component in a tool chain: Specifications 
may either directly be written in IF or obtained by (existing) translations to 
IF from various commonly used specification languages. ELSE provides a state 



ELSE: A New Symbolic State Generator for Timed Automata 



275 



generator; CADP may be used to explore it for reachability or more complex 
verification algorithms. 

To achieve this, ELSE is composed of: 

~ A compiler, else2c, which generates the symbolic transition systems. It trans- 
lates the description of a set of timed automata into C functions which com- 
pute them. The description must be done in the IF syntax; 

— A library computing operations on clock constraints, called elsezone. This 
one contains all functions which are needed by functions generated by the 
compiler. 

To summarize, the following figure shows how ELSE works: Given a network of 
timed automata which are described in IF (file sys.els), the compiler else2c gen- 
erates C functions (file sys.c) computing the corresponding symbolic transition 
system. The generated functions may call functions on clock constraints of the 
clock constraint library (file elsezone. c). 




Internals of else2c. After the syntactic verification of the system description, 
the generation of the C code used as entry by a graph explorer is done in two 
main steps: 

First, the C representation of (symbolic) states of the reachability graph is 
created. The generated data structure, a static record with some dynamic attach- 
ments, represents in a hierarchical manner the hierarchy of the system structure, 
as much as is possible in C, e.g. the automata are represented as subrecords, etc. 
Clock constraint representations in our setting do not have a fixed size and are 
kept apart. 

Then the compiler computes a function for the interface, which, given a sym- 
bolic state of the reachability graph, computes and returns implicitly the list of 
its successors. A specific function is generated for the initial state creation. 

3 Event Zones and the Library elsezone 

For this section, we assume some familiarity with zones as used in classical timed 
automata tools. 
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2Y,Z3IY 




= 0 



b 



0X,Y2IZ := 0 



o 



Fig. 1. Example automaton 



The library elsezone contains all the functions computing the operations on 
constraints, called event zones, as defined in [LNZ03]. For illustration, let us 
consider a part of a timed automaton, transitions name a, b and c, where we 
assume a and c to belong to process number 0 whereas b and c are transitions of 
process number 0. In other words, transitions a and b are of independent origin 
(and address different clocks here), whereas transition c is a common transition, 
dependent on both a and b (and the clocks it addresses). Such a situation is 
depicted in Figure 1. 

Zones of classical timed automata represent, “cZocfc zones'" , sets of clock val- 
ues symbolically by differences bounds matrices. Matrices as in Figure 2 repre- 
sent for pairs of variables {x, y) constraints for the difference x — y. The passage 
from one symbolic state to another here consists of several steps (letting the time 
advance, i.e. relax upper bounds of clock variables; intersection with transition 
bound; resetting clocks (to zero) by coupling them to the variable corresponding 
to 0). The nature of these steps implies that symbolic paths executing a first 
and then b or the other way around lead to incomparable clock zones and these 
differences may be propagated. This is one additional source of state explosion 
in timed automata. 

In contrast to this classical approach, we have taken a philosophical shift 
for ELSE: Event zones represent constraints for the occurrence times of certain 
events. A constraint “T3” guarding a transition b can indeed be read in two 
ways: (a) at the moment of occurrence of the transition, clock Y must have 
a value inferior to 3. (b) the difference of occurrence times of the transition in 
question and the last preceeding reset of clock F is 3. 
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Fig. 2. Symbolic states with classical zones 



Event zones (described in more detail in [LNZ03]) thus consist of a matrix of 
constraints on events and a list of “pointers” from clocks (and from components) 
to indicate, which was the last event of a reset of clock X, etc. The latter 
pointers are needed as it is via them that constraints link future events with 
the events already present in the event zone: either from clock constraints or 
due to causality (an event / causally depending on a proceeding event e must 
occur later). After a reset of clock X, no preceeding reset of X can be linked to 
by a clock constraint on C in a future transition. Since no more reference to this 
event is possible, we can remove it like “garbage collection” . Events that are not 
referenced by pointers may be projected. As a consequence, the dimension of 
the constraints matrix is variable (may grow and shrink again). But its growth 
is bounded to n + m dimensions (number of clocks plus number of processes). In 
case of a fully sequential system, this bound is equal to n + 1 which corresponds 
to the dimension of classical zones (one dimension per clock and one dimension 
for “0”). The initial event zone has dimension one, consisting of a hypothetical 
“start event” (which occurs at time 0 and where all clocks are reset to 0). 

As a transition occurs, (1) add a new event, (2) recompute constraints with 
respect to its links to previous events (this is an incremental Floyd- Warshall 
algorithm that is at worst of quadratic complexity), (3) change references, (4) 
garbage collection of events (lines and columns) in the matrix that lack a refer- 



ence. 
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Fig. 3. Symbolic states with event zones 



The event based view has as consequence that the independent events of 
transitions a and b indeed are not directly linked by constraints and are in 
particularly not affected by the order of occurrence: The paths ab and ba lead 
to the same event zone (up to renaming of events). This equivalence is easily 
detected by an appropriate hash function. This hash function interpretes the 
event zone as constraints on clocks and processes (via the pointers) and thus 
cannot distinguish (renaming equivalent) event zones. 

It is interesting to note that the event zone(s) reached by ab and ba, when read 
as constraints on the clocks, actually contains the clock zones of both executions 
ab and ba in the classical timed automaton. 

Bounds Abstraction 

The bounds on the dimension of the event zones are not sufficient to guaran- 
tee termination. In classical timed automata, arguments related to bisimulation 
equivalence of concrete states are used to justify semantics preserving modi- 
fications of zones (widening to infinity of bounds that are beyond a certain 
threshold) . 

This widening is incompatible with clock zones (it does not preserve reacha- 
bility) , but in [LNZ03] , a sophisticated argument is given on how a closely related 
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abstraction allows to explore only one of several clock zones that exceed certain 
thresholds in the same sense. This abstraction is used before hashing. A rather 
interesting difference between the classical approaches and ELSE is that compu- 
tation on zones in the latter is always precise while preserving the same worst 
case bounds for the size of the explored state space. 



4 Status of Development and Future Work 

The development of ELSE is recent, up to now the invested effort is about 12 
person months. The complete translation chain is running, i.e. syntactic analysis, 
semantic analysis and code generation, and there exists a prototype implemen- 
tation of the elsezone library. However, coverage of the IF-2.0 language is very 
partial, we add code when we need it for modelling. The main current objective 
is to improve efficiency of the zone library. 

We have begun experimenting with the prototype, in particular exploring 
artificial academic examples where the event zone approach seems superior to 
classical zones. On some example series, exponential savings in running ELSE 
against itself with the two semantics have been achieved. 
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